b' DEPARTMENT OF HOMELAND SECURITY\n\n             Office of Inspector General\n\n\n\n       Major Management Challenges\n  Facing the Department of Homeland Security\n\n\n\n\n       (Ex\n\n\n\n\n       (Excerpts from the FY 2007 DHS\n       Annual Financial Report)\n\n\n\n\nOIG-08-11                          January 2008\n\x0c                                                               Office of Inspector General\n\n                                                               U.S. Department of Homeland Security\n                                                               Washington, DC 20528\n\n\n\n\n                                       January 4, 2008\n\n\n                                       Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThe attached report presents the major management challenges facing the Department of\nHomeland Security and was included in DHS\xe2\x80\x99 FY 2007 Annual Financial Report. As required\nby the Reports Consolidation Act of 2000, we update our assessment of management challenges\nannually.\n\nIt is our hope that this report will result in more effective, efficient, and economical operations.\nWe express our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                       Richard L. Skinner\n                                       Inspector General\n\x0c                                                                    Office of Inspector General\n\n                                                                    U.S. Department of Homeland Security\n                                                                    Washington, DC 20528\n\n\n\n\n                      MAJOR MANAGEMENT CHALLENGES FACING\n                      THE DEPARTMENT OF HOMELAND SECURITY\n\n\nSince its inception in March 2003, the Department of Homeland Security (DHS) has worked to\naccomplish the largest reorganization of the federal government in more than half a century.\nThis task, creating the third largest Cabinet agency with the missions of protecting the country\nagainst another terrorist attack, responding to threats and hazards, ensuring safe and secure\nborders, welcoming lawful immigrants and visitors, and promoting the free-flow of commerce\nhas presented many challenges to its managers and employees. While DHS has made progress,\nit still has much to do to establish a cohesive, efficient, and effective organization.\n\nThe major management challenges we identify facing DHS, including department-wide and\noperational challenges, are a major factor in setting our priorities for audits, inspections, and\nevaluations of DHS programs and operations. As required by the Reports Consolidation Act of\n2000, Pub.L.No. 106-531, we update our assessment of management challenges annually. We\nhave made recommendations in many, but not all, of these areas as a result of our reviews and\naudits of departmental operations. Where applicable, we have footnoted specific reports that\nrequire DHS\xe2\x80\x99 action.\n\nThe major management challenges we identified are:\n      \xe2\x80\xa2 Catastrophic Disaster Response and Recovery\n      \xe2\x80\xa2 Acquisition Management\n      \xe2\x80\xa2 Grants Management\n      \xe2\x80\xa2 Financial Management\n      \xe2\x80\xa2 Information Technology Management\n      \xe2\x80\xa2 Infrastructure Protection\n      \xe2\x80\xa2 Border Security\n      \xe2\x80\xa2 Transportation Security\n      \xe2\x80\xa2 Trade Operations and Security\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 \xe2\x80\x93 Annual Financial Report                          1\n\x0cCATASTROPHIC DISASTER RESPONSE AND RECOVERY\n\nReports issued by the White House, Congress, federal offices of Inspector General, the\nGovernment Accountability Office (GAO), and others, have identified longstanding problems\nwithin the federal government to sufficiently mobilize a coordinated response operation in the\nevent of a catastrophic disaster. The Department of Homeland Security\xe2\x80\x99s (DHS) failures after\nHurricane Katrina ravaged the Gulf Coast illuminated a number of these issues, including\nquestionable leadership decisions and capabilities, organizational failures, overwhelmed\nresponse and communications systems, and inadequate statutory authorities. In the two years\nsince Hurricane Katrina, a number of federal agencies, private sector organizations, and public\noffices have issued reports addressing the Federal Emergency Management Agency\xe2\x80\x99s (FEMA)\nweaknesses in response to Katrina.\n\nAdditionally, Congress enacted six statutes that contain changes that apply to future federal\nemergency management actions. Most of the statutes contain relatively few changes to federal\nauthorities related to emergencies and disasters. The Post-Katrina Emergency Management\nReform Act of 2006 (Post-Katrina Act), Pub.L.No. 109-295,1 however, contains many changes\nthat will have long-term consequences for FEMA and other federal entities. That statute\nreorganizes FEMA, expands its statutory authority, and imposes new conditions and\nrequirements on the operations of the agency. Although FEMA finds itself in a better position\ntoday than it did two years ago, it has not fully implemented the Post-Katrina Act. Many of the\nchanges made as a result of the Act, as well as planned response capabilities for future\ncatastrophic disasters, remain untested.\n\nMany problems plaguing FEMA have existed for years, but they never received the attention\nneeded to fix them because FEMA had never before dealt with such a devastating disaster. We\nare currently in the process of completing audits and reviews to help FEMA turn lessons learned\ninto problems solved and are planning additional work in FY 2008 to assess FEMA\xe2\x80\x99s readiness\nto respond to future catastrophic disasters.\n\nDHS\xe2\x80\x99 and FEMA\xe2\x80\x99s major management challenges in preparing to meet future catastrophic\ndisasters relate to the following areas: (1) coordination of disaster response efforts,\n(2) catastrophic planning, (3) logistics, (4) acquisitions, (5) housing, and (6) evacuation. These\nsix critical areas are discussed in detail below.\n\nCoordination of disaster response efforts. When a catastrophic event occurs, disaster response\nand recovery efforts are not solely a FEMA responsibility \xe2\x80\x93 they are inherently the nation\'s\nresponsibility. Therefore, a successful response to and subsequent recovery from a catastrophic\nevent can be tied directly to the resources and capabilities of citizens, local and state\ngovernments, the federal government, nongovernmental organizations, and the private sector.\nFEMA is the face of our nation\'s response to large-scale disasters and is charged with\ncoordinating the deployment of our nation\'s resources and capabilities, but success can only be\nrealized when all stakeholders are fully prepared and willing to contribute.\n\n\n1\n Post-Katrina Emergency Management Reform Act of 2006 (Post-Katrina Act) Pub.L.No. 109-295, Title VI, 120\nStat.1394.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                    2\n\x0cFEMA\xe2\x80\x99s initial response to Hurricane Katrina was significantly impeded by the adjustments it\nwas making in implementing its responsibilities under DHS\xe2\x80\x99 National Response Plan (NRP),\nwhich was published in December 2004. Moreover, DHS had previously published the National\nIncident Management System (NIMS) in March 2004. The NIMS, along with the NRP,\nrestructured how federal, state, and local government agencies and emergency responders\nconduct disaster preparation, response, and recovery activities. Changes needed to implement\nboth plans, however, were still underway when Hurricane Katrina made landfall. Unfortunately,\ntwo years later, DHS and FEMA have yet to finalize and issue the National Response\nFramework, the successor to the NRP, mandated in Title VI of the Post-Katrina Act.\nNotwithstanding that FEMA provided record levels of support to Hurricane Katrina victims,\nstates, and emergency responders, the response to Katrina demonstrated areas where FEMA and\nDHS headquarters must make adjustments relating to the use of incident designations, the role of\nthe Principal Federal Official, and the responsibilities of emergency support function\ncoordinators.\n\nSince FEMA is responsible for providing the necessary emergency management leadership to\nother federal departments, agencies, and other organizations when responding to major disasters,\nit is largely dependent on other agencies and outside resources to execute many activities that\ntake place. Therefore, departments and agencies need to allocate personnel and funding to train,\nexercise, plan, and staff disaster response activities to enable better execution of their roles and\nresponsibilities and plans and procedures. Specific contingency plans must be developed and\nintegrated so that capabilities and gaps are identified and addressed.\n\nHurricane Katrina also highlighted the need for data sharing among federal agencies following a\ncatastrophic disaster. However, data-sharing arrangements between FEMA and other federal\nagencies to safeguard against fraud and promote the delivery of disaster assistance are not in\nplace. Critical tasks, from locating missing children and registered sex offenders to identifying\nduplicate assistance payments and fraudulent applications, have all been hindered because\nmechanisms and agreements to foster interagency collaboration did not exist prior to Hurricane\nKatrina.\n\nCatastrophic Planning. Attempts to plan for an event such as Hurricane Katrina had been\nongoing since 1998, but were never completed for a variety of reasons, including a lack of\nfederal funding, other natural disasters occurring, and the terrorist attacks of September 11, 2001.\nAccording to FEMA officials, the major challenge in conducting catastrophic planning is the\nlack of funding. The GAO reported that requests from FEMA for $100 million for catastrophic\nplanning and an additional $20 million for catastrophic housing planning in fiscal years 2004 and\n2005, respectively, were denied by DHS.2\n\nThe integration of FEMA all hazards preparedness and disaster response and recovery\ncapabilities within DHS requires additional attention. Although an \xe2\x80\x9call-hazards\xe2\x80\x9d approach can\naddress preparedness needs common to both man-made and natural events, DHS must ensure\nthat all four phases of emergency management \xe2\x80\x93 preparedness, response, recovery, and\nmitigation \xe2\x80\x93 are managed throughout the department on an all-hazards basis. Coordination and\n\n2\n Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the Individuals and Households Program to\nFraud and Abuse; Actions Needed to Reduce Such Problems in the Future, GAO-06-1013, September 2006.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                   3\n\x0cconsultation among DHS components and with state and local governments is essential to guide,\nadvise, develop, and monitor all-hazards capabilities and responder effectiveness.\n\nPlanning and exercises also are critical to prepare for and respond to catastrophic events. FEMA\nrecognized the need for catastrophic planning and requested resources for a number of scenarios,\nincluding earthquakes in California and along the New Madrid Seismic Zone, hurricanes along\nthe gulf coast, and terrorist attacks. While Congress has appropriated $20 million recently for\ncatastrophic planning, to be successful, FEMA needs to plan and conduct exercises with its\nfederal, state, and local partners. FEMA needs to continue to develop plans and exercises for\nhigh risk scenarios and include all its emergency management partners.\n\nLogistics. FEMA is responsible for coordinating the delivery of commodities, equipment,\npersonnel, and other resources to support emergency or disaster response efforts, and therefore,\nFEMA\xe2\x80\x99s ability to track resources is key to fulfilling its mission. In response to Hurricane\nKatrina, state officials expressed frustration with the lack of asset visibility in the logistics\nprocess. FEMA used an inconsistent process involving multiple, independent computer and\npaper-based systems, many of which generated numerous, unique tracking numbers and few of\nwhich were cross-referenced. A White House report revealed a highly bureaucratic federal\nsupply process that was not sufficiently flexible or efficient to meet requirements, and that failed\nto leverage the private sector and 21st Century advances in supply chain management.\n\nAfter Hurricane Katrina, FEMA\xe2\x80\x99s Logistics Inventory Management System (LIMS) did not track\nessential commodities, such as food and water. As a result, FEMA could not readily determine\nits effectiveness in achieving DHS\xe2\x80\x99 specific disaster response goals or whether there was a need\nto improve the system. FEMA\xe2\x80\x99s disaster response culture has supported the agency through\nmany crisis situations, such as the 2004 hurricanes. However, FEMA\xe2\x80\x99s reactive approach\nencourages short-term fixes rather than long-term solutions, contributing to the difficulties it\nencountered in supporting response and recovery operations after Hurricane Katrina. Without\ntaking the time to fully define and document systems requirements, it is difficult for FEMA to\nevaluate viable alternatives to its custom-designed systems. Also, the reactive manner in which\ninformation technology systems are funded and implemented has left little time for testing before\nthey are deployed.\n\nIn 2004, FEMA Logistics began testing a total asset visibility pilot program that involved putting\ntracking units on selected trucks to monitor their movement. In response to Hurricane Katrina,\nFEMA could only equip about one third of the trucks with tracking units because funds were not\navailable to purchase units for all trucks. In addition, FEMA could not determine whether a\ntruck had been offloaded or had changed cargo once it left its point of origin because of software\nlimitations of the equipment.\n\nAnother logistics issue is the use of mission assignments. In response to of Hurricane Katrina,\nFEMA issued approximately 2,700 mission assignments totaling about $8.7 billion to other\nfederal agencies to acquire goods and services needed for disaster response activities.\nHistorically, FEMA\xe2\x80\x99s guidance on mission assignments has been vague and agencies\xe2\x80\x99\naccounting practices have varied significantly. As a result, FEMA has had difficulty issuing,\ntracking, monitoring, and closing mission assignments and reconciling agencies\xe2\x80\x99 records to\nFEMA records. FEMA has developed new pre-defined mission assignments to streamline some\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                           4\n\x0cof the initial recurring response activities. In addition, FEMA\'s Disaster Finance Center is\nworking with other federal agencies on appropriate supporting documentation for billings.\n\nSince Hurricane Katrina, FEMA has identified five major commodity storage sites for water,\nmeals, tarps, sheeting, blankets, cots and generators, and has expanded its asset visibility to all\nregions. Reporting capabilities have been enhanced to allow for more comprehensive and real\ntime reporting from the field. FEMA has interagency agreements with key partners at the\nDefense Logistics Agency, U.S. Army Corps of Engineers, the Department of Transportation,\nand the American Red Cross, and is pursuing one with the General Services Administration, to\nsustain efforts at 100 percent of requirements within 72 hours. These interagency agreements\nwill provide FEMA with essential disaster response commodities, such as meals-ready-to-eat,\nfuel, ice, medical supplies, water, cots, blankets, tarps, and rental equipment. Each agency will\nbe responsible for tracking its assets and working closely with FEMA and its total asset visibility\nstaff.\n\nBecause it is essential to its mission to track assets real-time across federal, state, and local\norganizations, FEMA has made improvements to LIMS, and has called on the expertise of the\nprivate sector to improve total asset visibility. The actions to improve logistical capability are\nsteps in the right direction. Recent events, including the Kansas tornado, indicate improvements\nin FEMA\xe2\x80\x99s response and logistics capabilities. However, whether these improvements will work\nfor a catastrophic event are largely untested.\n\nAcquisitions. In the aftermath of Hurricane Katrina, FEMA was not prepared to provide the\nkind of acquisition support needed for a catastrophic disaster. Specifically, FEMA lacked\n(1) sufficient acquisition planning and preparation for many crucial acquisitions needed\nimmediately after the disaster; (2) clearly communicated acquisition responsibilities among\nFEMA, other federal agencies, and state and local governments; and (3) sufficient numbers of\nacquisition personnel to manage and oversee contracts.\n\nPursuant to the Post-Katrina Act, FEMA has undergone significant reorganization, including in\nits acquisition function. Major concerns for the acquisition program include the need for: (1) an\nintegrated acquisition system; (2) a full partnership of FEMA\xe2\x80\x99s acquisition office with other\nfunctions; (3) comprehensive program management policies and processes; (4) appropriate\nstaffing levels and trained personnel; (5) reliable and integrated financial and information\nsystems; and (6) timely corrective actions in response to many OIG and GAO report\nrecommendations.\n\nFEMA has recognized the need to improve acquisition outcomes and has taken positive steps\nthat include:\n\n    \xe2\x80\xa2   Using a hurricane gap analysis tool to identify potential disaster response gaps;\n\n    \xe2\x80\xa2   Executing pre-negotiated or \xe2\x80\x9creadiness\xe2\x80\x9d contracts in advance of disasters;\n\n    \xe2\x80\xa2   Working with DHS\xe2\x80\x99 Disaster Response/Recovery Internal Control Oversight Board to\n        address response problems; and\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                            5\n\x0c    \xe2\x80\xa2   Continuing its aggressive hiring of highly trained acquisition professionals.\n\nDespite these positive steps, a number of acquisition readiness concerns remain, including the\nfollowing:\n\n    \xe2\x80\xa2   FEMA has yet to finalize an established process to ensure that federal pre-negotiated\n        contracts for goods and services are coordinated with federal, state, and local\n        governments;\n\n    \xe2\x80\xa2   FEMA has not fully strategized and identified the goods and services for which pre-\n        negotiated contracting may be needed in a catastrophic event; and\n\n    \xe2\x80\xa2   FEMA and other federal agencies may not have enough trained and experienced\n        acquisitions personnel to manage and oversee the vast number of acquisitions that follow\n        major and catastrophic events.\n\nHousing. Possibly the largest problem FEMA faced in the aftermath of Hurricane Katrina was\nproviding financial assistance, sheltering, and housing to evacuees. Because FEMA lacked a\ncatastrophic disaster housing strategy and had never before been faced with meeting the short-\nand long-term housing needs of hundreds of thousands of disaster victims, it relied on shelters,\nhotels, motels, cruise ships, and tents, as well as any other available housing resources to meet\nsheltering and housing needs. FEMA also worked with the Department of Housing and Urban\nDevelopment (HUD) to implement additional programs to provide housing assistance vouchers\nto eligible disaster victims. After approximately two years, FEMA has executed an Interagency\nAgreement with HUD to handle long-term Gulf Coast housing issues.\n\nFEMA\xe2\x80\x99s existing programs were inadequate to handle the magnitude of housing requirements\nafter Hurricane Katrina. Also, the number of victims overwhelmed FEMA\xe2\x80\x99s system for\nverifying victim identities and providing individual assistance payments. Consequently, FEMA\nlessened system controls to accelerate individual assistance payments, resulting in widespread\nfraud. While FEMA subsequently improved its intake process and the system\xe2\x80\x99s capacity, the\nchanges remain untested.\n\nFEMA\xe2\x80\x99s efforts to house victims in travel trailers and mobile homes were not well planned,\ncoordinated, or managed, and some outcomes were not anticipated. FEMA purchased mobile\nhomes without a plan for how the homes would be used. As a result, FEMA now has thousands\nof surplus mobile homes.\n\nThe Post-Katrina Act requires FEMA to develop a National Disaster Housing Strategy. The\nstrategy will focus on sheltering, interim and permanent housing, and the various populations to\nbe served, and will guide FEMA and other federal agencies during disasters. The strategy also\nwill identify gaps, such as additional authorities required to deal with sheltering and housing\noperations, as well as provide flexibility and scalability to meet the unique needs of individual\ndisasters. FEMA has coordinated with other federal agencies and the National Council on\nDisability to develop a strategy to address housing needs for future disasters. The strategy\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                            6\n\x0cincludes a Joint Housing Task Force that consists of other federal agencies, state, local, tribal\ngovernments, and volunteer agencies. The task force will convene immediately after a\nPresidential disaster declaration to work with FEMA to coordinate resources and implement\nhousing programs. However, FEMA is looking to other federal and state partners to take a\nbigger role in disaster housing.\n\nWhile lessons learned from Hurricane Katrina have improved housing coordination, FEMA\nneeds to develop and test new and innovative catastrophic disaster housing plans to deal with\nlarge-scale displacement of citizens for extended periods. Traditional housing programs for non-\ntraditional disaster events have been shown to be inefficient, ineffective, and costly.\n\nEvacuations. Lessons learned from Hurricane Katrina have caused FEMA to take a more active\nrole in evacuating victims during major and catastrophic disasters. While the Department of\nTransportation has retained responsibility for some transportation functions, FEMA has taken\nover the standby contracts for air/bus/rail support when state and local governments cannot\nhandle the evacuation process. FEMA is also working closely with states to ensure that\nevacuation plans are in place. It is critical that FEMA and its federal partners coordinate with\nstate and local governments since catastrophic disaster events will likely exceed their capabilities\nto handle mass evacuations.\n\nHurricane Katrina resulted in the activation of Emergency Support Function ESF-6 (Mass Care)\nwith FEMA as coordinator. Because roles and responsibilities were not clearly defined or\nestablished, FEMA found it difficult to identify the number and location of evacuees, as well as\nthe need for shelters. The American Red Cross (ARC) stated it was responsible only for\ncoordination and reporting on ARC mass care operations, while FEMA said it relied heavily on\nARC to coordinate mass care operations and reporting. The mass care failings after Hurricane\nKatrina resulted in the development of the National Sheltering System, which is nearly complete.\nThe system, although untested, should allow FEMA to more easily track victims once they arrive\nat a shelter.\n\nEvacuation plans are complex and must consider a number of scenarios. Recent reports indicate\nthat despite warnings and mandatory evacuation orders, a significant number of individuals will\nnot leave their homes. Others may not be able to evacuate because of health considerations or\nlack of transportation. State and local officials are in the best position to develop evacuation\nplans based on these considerations and on local demographics. However, these officials must\nwork closely with FEMA and its federal partners to minimize the loss of life that can result from\ncatastrophic events such as Hurricane Katrina.\n\n\nACQUISITION MANAGEMENT\n\nBalancing Urgency and Good Business Practices\n\nWith DHS annually spending about 39 percent of its budget through contracts, effective\nacquisition management is fundamental to DHS\xe2\x80\x99 ability to accomplish its missions. Due to our\ncurrent homeland security vulnerabilities, DHS tends to focus its acquisition strategies on the\nurgency of meeting mission needs, rather than balancing urgency with good business practices.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                            7\n\x0cExcessive attention to urgency without good business practices leaves DHS and the taxpayers\nvulnerable to spending millions of dollars on unproductive homeland security investments.\nAcquisitions must provide good value, because funds spent ineffectively are not available for\nother, more beneficial uses.\n\nWe have conducted audits and reviews of individual DHS contracts, such as the U.S. Coast\nGuard\xe2\x80\x99s (Coast Guard) Deepwater program and Customs and Border Protection\xe2\x80\x99s (CBP) Secure\nBorder Initiative Network. Common themes and risks emerged from these audits, primarily the\ndominant influence of expediency, poorly defined requirements, and inadequate oversight that\ncontributed to ineffective or inefficient results and increased costs. Numerous opportunities exist\nfor DHS to make better use of good business practices, such as well-defined operational\nrequirements and effective monitoring tools, that would have preserved the government\xe2\x80\x99s ability\nto hold poorly performing contractors accountable.\n\nSuspension and debarment are the most serious methods available to hold government\ncontractors accountable for failed performance and to protect the government\xe2\x80\x99s interests in future\nprocurements. To ensure the government has the option of using these methods, along with\nother tools to hold contractors accountable, the government must lay the groundwork from the\nvery beginning of the acquisition process. That is, contracts must specify precisely expected\noutcomes and performance measures and the government must properly oversee contractor\nperformance. Without these basic provisions, the government will have no basis to assert that a\ncontractor failed to perform, and thus, no basis to pursue suspension and debarment to protect the\ntaxpayers in future procurements.\n\nThe urgency and complexity of DHS\xe2\x80\x99 mission will continue to demand rapid pursuit of major\nacquisition programs. As DHS builds its acquisition management capabilities in the components\nand department-wide, the business of DHS goes on and major procurements continue to move.\nAcquisition is not just awarding a contract, but an entire process that begins with identifying a\nmission need and developing a strategy to fulfill that need through a thoughtful, balanced\napproach that considers cost, schedule, and performance. Urgent acquisitions need more\ndiscipline, not less, because the consequences of failure are higher. DHS needs to distinguish\nbetween truly urgent needs and less urgent needs.\n\nPrograms developed at top speed sometimes overlook key issues during program planning and\ndevelopment of mission requirements. Also, an over-emphasis on expedient contract awards\nmay hinder competition, which frequently results in increased costs. Finally, expediting program\nschedules and contract awards limits time available for adequate procurement planning and\ndevelopment of technical requirements, acceptance criteria, and performance measures. This can\nlead to higher costs, schedule delays, and systems that do not meet mission objectives.\n\nOne procurement method DHS uses is performance-based contracting. While this method has\ncertain advantages over traditional, specifications-based contracting, it also introduces risks that,\nunless properly managed, threaten achievement of cost, schedule, performance, and, ultimately,\nmission objectives.\n\nA performance-based acquisition strategy to address the challenges of DHS\xe2\x80\x99 programs is, in our\nopinion, a good one. Partnering with the private sector adds fresh perspective, insight, creative\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                            8\n\x0cenergy, and innovation. It shifts the focus from traditional acquisition models, i.e., strict contract\ncompliance, to one of collaborative, performance-oriented teamwork with a focus on\nperformance, improvement, and innovation. Nevertheless, using this type of approach does not\ncome without risks. To ensure that this partnership is successful, DHS must lay the foundation\nto oversee and assess contractor performance, and control costs and schedules. This requires\nmore effort and smarter processes to administer and oversee the contractors\xe2\x80\x99 work. Therein lies\nthe critical importance of describing mission needs, and the yardsticks by which to measure\nachievement, completely and precisely. Without clear agreement between the government and\nthe contractor about what the procurement is to achieve, the government is vulnerable to cost\noverruns, delays, and, in the end, not receiving a good or service that meets its needs.\n\nPerformance-based contracting may have additional risks, but with forethought and vigorous\noversight, the risks can be managed. \xe2\x80\x9c[R]isk management is the art and science of planning,\nassessing, and handling future events to ensure favorable outcomes. The alternative to risk\nmanagement is crisis management, a resource-intensive process\xe2\x80\x9d with generally more limited\noptions.3 While no one has yet formulated the perfect risk management solution, risks can be\ncontrolled, avoided, assumed, or transferred. For example, programs can develop alternative\ndesigns that use lower risk approaches, competing systems that meet the same performance\nrequirements, or extensive testing and prototyping that demonstrates performance. Risk\nmitigation measures usually are specific to each procurement. The nature of the goods and\nservices procured, the delivery schedule, and dollars involved determine what mitigation is\nappropriate.\n\nA balanced approach is more likely to result in obtaining the right products and services at the\nright times for the right prices. Little disagreement exists about the need for our nation to protect\nitself immediately against the range of threats, both natural and manmade, that we face. At the\nsame time, the urgency and complexity of the department\xe2\x80\x99s mission create an environment in\nwhich many programs have acquisitions with a high risk of cost overruns, mismanagement, or\nfailure. Adopting lower risk acquisition approaches that better protect the government\xe2\x80\x99s interests\nenhance the department\xe2\x80\x99s ability to take action against bad actors.\n\nAn Efficient, Effective, and Accountable Acquisition Function\n\nWe recently published the first of what will be a series of scorecards identifying the progress\nmade in selected acquisition functions and activities within DHS.4 The data included in the\nscorecards reflect our audits and inspections reports issued through March 2007, as well as\nadditional fieldwork conducted in February 2007 and March 2007. We used GAO\xe2\x80\x99s Framework\nfor Assessing the Acquisition Function at Federal Agencies (September 2005) and DHS\xe2\x80\x99\nAcquisition Oversight Program Guidebook (July 2005) as a baseline. These references identify\nthe following five interrelated elements essential to an efficient, effective, and accountable\nacquisition process: organizational alignment and leadership; policies and processes; financial\naccountability; acquisition workforce; and knowledge management and information systems.\n\n3\n  Department of Defense, Defense Acquisition University, Risk Management Guide for DoD Acquisition, Fifth\nEdition (Version 2.0), June 2003.\n4\n  DHS Office of Inspector General, Semiannual Report to the Congress, October 1, 2006 \xe2\x80\x93 March 31, 2007, pages\n59 \xe2\x80\x93 78.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                        9\n\x0cThe Office of the Chief Procurement Officer is the DHS organization with responsibility for all\ndepartment acquisition activities and services. This includes management, administration and\noversight, financial assistance, and strategic and competitive sourcing. Responsibilities also\ninclude the development and publication of department-wide acquisition and financial assistance\nregulations, directives, policies, and procedures. Each component head shares responsibility for\nthe acquisition function with the DHS Chief Procurement Officer. Therefore, the Chief\nProcurement Officer has used collaboration and cooperation with the components as the primary\nmeans of managing DHS-wide acquisition oversight. Specifically, some collaborative methods\ninclude integrating departmental components through common policies and procedures, meeting\nmonthly with component procurement managers, and providing input on component new hires\nand procurement employees\xe2\x80\x99 performances.\n\nRecent congressional testimony, audits, and reviews indicate deficiencies and the need for DHS\nto improve all five elements, such as (1) lack of strong acquisition authority in the Office of the\nChief Procurement Officer and less than full partnership with other departmental functions;\n(2) lack of comprehensive program management policies and processes; (3) ineffective internal\ncontrol over financial reporting; (4) insufficient program management staffing; and (5) unreliable\ninformation systems that are not integrated and do not provide useful reports and analysis. DHS\nacquisition leaders identified some progress, but previously reported deficiencies are largely\nuncorrected. Many remaining acquisition challenges fall outside the Office of the Chief\nProcurement Officer\xe2\x80\x99s control. A brief summary of each element follows.\n\nOrganizational Alignment and Leadership. DHS executive leadership has made modest progress\nin ensuring that the acquisition function achieves the organizational alignment needed to\nperform. Strong executive leadership is needed to ensure that the importance of the acquisition\nfunction is acknowledged and integrated with all other functions involved in, or affected by,\nprocurement activities. One area of improvement is the increased communication by acquisition\nleadership to inform staff about the role and importance of their mission to DHS. The\natmosphere for collaboration between DHS and its components on acquisition matters has\nimproved. However, many still view the acquisition function as a support activity, i.e., a\ncontract processing office, rather than as a partner. Acquisition has begun to receive more\nresources for staffing and training.\n\nPolicies and Processes. DHS has made modest progress in developing policies and processes to\nensure that components comply with regulations, policies, and processes to achieve department-\nwide goals. In 2005, DHS issued a management directive and guidebook that established\npolicies and procedures for oversight of DHS acquisitions, with the common goal of delivering\nmission results while maintaining compliance with applicable laws, regulations, policies, and\nprocedures. An acquisition manual and additional acquisition regulations for DHS have also\nbeen developed. According to GAO and our recent reports and interviews with DHS officials,\nthe need still remains for a comprehensive DHS approach to program management standards.\n\nFinancial Accountability. DHS has made limited progress in ensuring financial oversight and\naccountability within the acquisition function. DHS financial information is generally\nunreliable, and financial systems do not have the internal controls and integration that acquisition\npersonnel require. Also, the acquisition and finance offices have not successfully partnered on\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                         10\n\x0cacquisition planning and strategic decision-making. DHS has numerous and persistent issues\nwith inadequate internal controls and data verification. Improper payments have been made, and\nthere are few checks on data once it is recorded in the system. This problem is exacerbated by\nthe use of multiple, nonintegrated information technology systems across the department.\nWithout a reliable data system, it has been very difficult for the financial office to make an\nimpact in the broader acquisition process.\n\nAcquisition Workforce. The capabilities of DHS\xe2\x80\x99 acquisition workforce will determine, to a\ngreat extent, whether major acquisitions fulfill DHS\xe2\x80\x99 urgent and complex mission needs.\nContracting officers, program managers, and Contracting Officer Technical Representatives\n(COTR) make critical decisions on a nearly daily basis that increase or decrease an acquisition\xe2\x80\x99s\nlikelihood of success. DHS has made modest progress in building a skilled acquisition\nworkforce. However, until a fully trained acquisition workforce is developed, it will be difficult\nto achieve further progress needed for an efficient, effective, and accountable acquisition\nfunction.\n\nBoth our office and the GAO have reported that the Office of the Chief Procurement Officer\nneeds more staff and authority to carry out its oversight responsibilities. GAO recommended\nthat DHS provide the Office of the Chief Procurement Officer sufficient resources and\nenforcement authority to enable effective, department-wide oversight of acquisition policies and\nprocedures. We made a similar recommendation. An increase in the personnel budget has\nallowed DHS to fill many needed acquisition staff positions. During fiscal year 2006, the Under\nSecretary for Management established policies for acquisition oversight and directed the eight\ncontracting offices to measure and manage their acquisition organizations. Also, the number of\noversight specialists in the Acquisition Oversight Division is authorized to expand to nine during\nfiscal year 2007. The Office of the Chief Procurement Office has undertaken an outreach\nprogram to involve DHS component staff to manage effectively and assist in acquisition\noversight. In previous reports, our office and GAO identified the need for additional certified\nprogram managers. The Office of the Chief Procurement Officer subsequently created a training\nprogram that likely will increase the pool of certified program managers.\n\nOffice of Personnel Management data indicates that more than 40 percent of DHS\xe2\x80\x99 contracting\nofficers will be eligible to retire within the next five years. To mitigate this circumstance, DHS\nplans to use additional appropriations to hire more personnel and implement an acquisition\ninternship program that will bring in junior staff.\n\nKnowledge Management and Information Systems. DHS has made limited progress since its\ncreation in developing and deploying information systems to track and analyze acquisition data\nand improve user efficiency. Current systems are not fully integrated, contain unreliable input,\nand do not have internal controls to verify data. As a result, the acquisition program cannot\neffectively provide information to its stakeholders and does not have the tools necessary for\nplanning or monitoring its transactions. Many DHS components still maintain their legacy\ncontract writing systems and DHS lacks integration between contract writing and contract\nmanagement systems. DHS has selected PRISM as its standard contract writing system, but the\ndepartment-wide rollout is behind schedule. Integration and data accuracy problems will\ncontinue to exist until all components migrate to the same contract writing system.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                         11\n\x0cU.S. Coast Guard Deepwater Acquisition\n\nThe Integrated Deepwater System Program (Deepwater) is a $24 billion, 25-year acquisition\nprogram designed to replace, modernize, and sustain the Coast Guard\xe2\x80\x99s aging and deteriorating\nfleet of ships and aircraft, providing a deepwater capable fleet for 40 years.5 The Deepwater\nacquisition strategy is a non-traditional systems-of-systems approach by which private industry\nwas asked to not only develop and propose an optimal mix of assets, infrastructure, information\nsystems, and people-based solution designed to accomplish all of the Coast Guard\xe2\x80\x99s Deepwater\nmissions, but also to provide the assets, the systems integration, integrated logistics support, and\nthe program management. Under a more traditional acquisition strategy, the government would\ncontract separately for each major activity or asset involved, such as cutters and aircraft, and\ntheir logistics support, communications equipment, systems integration, and program\nmanagement operations.\n\nOver the past year, the OIG, the GAO, the Defense Acquisition University, and Acquisitions\nSolutions, Inc. have conducted audits and studies of the Coast Guard\xe2\x80\x99s Deepwater Program.\nThese reviews have identified a number of management challenges and risks with the Deepwater\nProgram which raise fundamental questions about the viability of the Coast Guard\xe2\x80\x99s \xe2\x80\x9cSystem of\nSystem\xe2\x80\x9d strategy for re-capitalizing and upgrading its Deepwater fleet of small boats, patrol\nboats, cutters, helicopters, and fixed-wing aircraft. These challenges and risks include:\n\n    \xe2\x80\xa2   A contract structure that did not easily adapt to the environment of changing missions and\n        requirements, and major systems integration;\n\n    \xe2\x80\xa2   A Deepwater Executive Officer who did not exercise his oversight authority and, as a\n        result, relied on a lead systems integrator to manage the Deepwater program;\n\n    \xe2\x80\xa2   A contract structure that inhibited the Coast Guard\xe2\x80\x99s ability to exercise an appropriate\n        level of technical oversight over the acquisition of key Deepwater assets and systems;\n\n    \xe2\x80\xa2   A Deepwater acquisition work force that lacks the requisite training, experience,\n        certification, and structure to acquire assets and systems of significant scope and\n        complexity;\n\n    \xe2\x80\xa2   The Coast Guard\xe2\x80\x99s unwillingness to enforce contract performance requirements; and\n\n    \xe2\x80\xa2   The Coast Guard\xe2\x80\x99s acceptance of contractor self-certification of technical standards in\n        lieu of independent third party certification.\n\nAs a result of these and other Deepwater problems, the Coast Guard:\n\n    \xe2\x80\xa2   Discontinued design work on the Fast Response Cutter due to the failure of the contractor\n        to meet minimum design and performance requirements;\n\n5\n The Deepwater area of operations is typically defined as beyond the normal operating range, approximately 50\nmiles from shore.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                        12\n\x0c    \xe2\x80\xa2   Withdrew eight 123-foot patrol boats from service due to the contractor\xe2\x80\x99s failure to meet\n        minimum design, construction, and performance requirements outlined in the Deepwater\n        contract; and\n\n    \xe2\x80\xa2   Authorized the expenditure of $1.6 billion to construct three National Security Cutters\n        with the knowledge that the cutter, as currently designed, had structural design flaws that\n        prevent it from meeting the mission performance requirements outlined in the Deepwater\n        contract.\n\nTo its credit, the Coast Guard now recognizes the need for urgent and immediate changes to the\nway it manages its major acquisitions in general, and the Deepwater Program in particular. For\nexample, the Coast Guard recently issued its Blueprint for Acquisition Reform, July 13, 2007\n(Blueprint), which catalogues many of the aforementioned challenges and risks that have\nhistorically impeded the efficient execution of the Deepwater contract acquisition projects.\nAccording to the Coast Guard, implementing this Blueprint will enhance its ability to efficiently\nexecute asset-based \xe2\x80\x9ctraditional\xe2\x80\x9d projects, effectively employ a governmental or commercial\nentity as a systems integrator for complex acquisitions, and efficiently execute non-major\nacquisitions and contracts for necessary goods and services.\n\nThe Blueprint specifically outlines the Coast Guard\xe2\x80\x99s plans for reorganizing its acquisition\nworkforce, an effort that is expected to take several years and an unknown amount of money to\nimplement. The Blueprint, however, does not contain critical measures of performance that\nwould allow the Department and the Congress to assess the progress being made. For example,\nthe Blueprint does not describe the number and type of acquisition professionals needed or when\nthey are scheduled to arrive on board.6 In addition, while the Blueprint contains a number of key\ninitiatives, it does not clearly state the outcomes that will be achieved, and at what cost to the\nCoast Guard. Finally, neither the Blueprint nor the Coast Guard has identified the changes to the\nDeepwater contract that will be made to ensure full implementation of the Blueprint.\nConsequently, it is difficult to determine whether these initiatives will satisfactorily address the\ncost, schedule, and performance issues associated with the Deepwater Program.\n\nOutlook and OIG Oversight\n\nDHS can protect the public interest in major acquisitions. The long-run solutions include strong\nprogram and procurement offices; clearly articulated program goals; defined program technical\nrequirements, performance measures, and acceptance terms; well-structured contracts; and\nthorough cost and performance oversight. In the near term, DHS can mitigate risks and limit\ngovernment\xe2\x80\x99s exposure through such actions as writing shorter-term contracts with smaller,\nincremental tasks; using contract vehicles that better share risk between government and vendor;\nand ensuring that the government retains negotiating power with decision points and options.\n\n\n\n6\n Major systems acquisition competency areas that are in the greatest need of infusion of experience are program\nmanagement, contracting, and financial management (including earned value management and cost estimating).\nDefense Acquisition University, Quick Look Study, United States Deepwater Program, February 2007.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                          13\n\x0cWe will continue a vigorous audit and investigation program to uncover DHS acquisition\nvulnerabilities and recommend swift, cost-effective improvements. Acquisition management is\nand will continue to be a priority for my office and an area where we focus considerable\nresources. Our plan is to continue examining such crosscutting acquisition issues as workforce\nqualifications, competition, small and disadvantaged business utilization, and corporate\ncompliance, in addition to individual programs, such as Deepwater and the Secure Border\nInitiative.\n\n\nGRANTS MANAGEMENT\n\nIn conjunction with the realignment efforts being undertaken pursuant to the Post-Katrina\nEmergency Management Reform Act of 2006, the grant programs administered by the Office of\nGrants and Training transferred to the FEMA, effective April 1, 2007. Grants and Training grant\nmanagement activities were absorbed within two new FEMA Directorates. Grants and\nTraining\'s grant business and administrative management functions will be centralized in the\nGrants Program Directorate, while program management functions will become a part of the\nNational Preparedness Directorate. Grants and Training\'s financial management activities, which\nwere previously provided by Grants and Training\'s legacy organization at the Department of\nJustice, will be absorbed by FEMA\'s Office of the Chief Financial Officer (OCFO). The OCFO\nwill be responsible for all financial grants management functions within the new FEMA.\nFinancial grants management encompasses all financial activities necessary to manage the grant\nfunds, from appropriation through closeout of the grant award. As a result, FEMA directly\noversees more than 80 percent of all grant resources awarded by DHS. This includes not only\nmitigation programs, but also preparedness grants valued at nearly $4 billion in FY 2007.\n\nRecognizing that this was a mid-year transition, the processes in place to announce Grants and\nTraining grant guidance, receive and review applications, and announce awards remained\nunchanged in FY 2007. The relationship between Grants and Training grantees and\nPreparedness Officers in providing grant guidance and other services also remained unchanged.\nThe Grants Management System (GMS) supports the grant management process involving the\nreceipt of grant applications and grant processing activities. The FEMA Integrated Financial\nManagement Information System (IFMIS) will be the key financial reporting system, which has\nfeeder subsystems for budget, procurement, accounting and other administrative processes and\nreporting. For the short-term, FEMA will run two financial systems: (1) FEMA IFMIS, and\n(2) Grants and Training IFMIS. This will allow FEMA to incorporate all Grants and Training\nfinancial data, including grants data, within the new FEMA. Grants and Training IFMIS\nincludes grantee payment functionality and financial status reporting capabilities. In FY 2008,\nGrants and Training IFMIS data will migrate to FEMA IFMIS to form a unified system.\n\nManaging the multitude of grant programs within DHS poses a significant challenge. The grant\nprograms of other federal agencies that assist states and local governments in improving their\nabilities to prepare for, respond to, and recover from acts of terrorism or natural disasters\ncompound this challenge. The Congress continues to authorize and appropriate funding for\nindividual grant programs within and outside of DHS for similar, if not identical, purposes. In\ntotal, DHS manages more than 80 disaster and nondisaster grant programs. For disaster response\nand recovery efforts, we have identified 36 federal assistance programs that have the potential\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                     14\n\x0cfor duplicating DHS grant programs. In addition, the internal DHS reorganization has\ncompounded these issues, as overlapping jurisdictions and systems must be reconciled. DHS\nmust do more to coordinate and manage grants that are stove-piped for specific, but often related\npurposes, to ensure that they are contributing to our highest national preparedness and disaster\nrecovery goals, rather than duplicating one another and being wasted on low-priority capabilities.\n\nThe administration has authorized more than $110 billion to support recovery efforts in the\nnation\'s Gulf Coast as a consequence of Hurricanes Katrina, Wilma, and Rita. In the Gulf Coast\nstates affected by these hurricanes, numerous federal grants from different agencies and\ncomponents of DHS are going to state and local governments, private organizations, and\nindividuals for response and recovery from these hurricanes, as well as for the next disaster or\nterrorist attack. We are currently reviewing disaster grant activities throughout the Gulf Coast\nand will continue to give special emphasis to Gulf Coast disaster response and recovery grant\nspending.\n\nIn FY 2008, DHS is expecting to award approximately $3.2 billion for state and local\npreparedness expenditures, as well as assistance to firefighters. Of this amount, $2.2 billion is\nrequested for DHS to fund grant, training, and exercise programs under FEMA. In addition, in\ncoordination with the state preparedness grant program, FEMA will be administering the\n$1 billion Public Safety Interoperable Communications grant program in partnership with the\nDepartment of Commerce. We are reviewing individual state\xe2\x80\x99s management of first responder\ngrants and the effectiveness of DHS\xe2\x80\x99 system for collecting data on state and local governments\xe2\x80\x99\nrisk, vulnerability, and needs assessments. Our audits have reported on the states\xe2\x80\x99 inability to\neffectively manage and monitor these funds and demonstrate and measure improvements in\ndomestic security. Our reports also pointed out the need for DHS to monitor the preparedness\nof state and local governments, grant expenditures, and grantee adherence to the financial terms\nand conditions of the awards.7\n\nGiven the billions of dollars appropriated annually for disaster and nondisaster grant programs,\nDHS needs to ensure that internal controls are in place and adhered to, and grants are sufficiently\nmonitored to achieve successful outcomes. DHS must ensure that, to the maximum extent\npossible, disaster and homeland security assistance go to those states, local governments, private\norganizations, or individuals eligible to receive such assistance and that grantees adhere to the\nterms and conditions of the grant awards. DHS needs to continue refining its risk-based\napproach to awarding first responder grants to ensure that areas and assets that represent the\ngreatest vulnerability to the public are as secure as possible. It must incorporate sound risk\n\n7\n DHS OIG: The State of New Jersey\xe2\x80\x99s Management of State Homeland Security Grants Awarded During Fiscal\nYears 2002 through 2004, OIG-07-58, July 2007; Audit of State Homeland Security Grants Awarded to the\nAmerican Samoa Government, OIG-07-42, May 2007; The State of North Carolina\xe2\x80\x99s Management of State\nHomeland Security Grants Awarded During Fiscal Years 2002 and 2003, OIG-07-02, October 2006; Audit of\nEmergency Management Performance Grant Funds Awarded to the Virgin Islands Territorial Emergency\nManagement Agency, DA-07-01, October 2006; The Commonwealth of Virginia\xe2\x80\x99s Management of State Homeland\nSecurity Grants Awarded During Fiscal Years 2002 and 2003, OIG-06-45, July 2006; Audit of Grant 2004-TK-TX-\n003 and 2005-GH-T5-0001 Awarded to the National Domestic Preparedness Coalition of Orlando, Florida, OIG-\n06-34, May 2006; and The State of Indiana\xe2\x80\x99s Management of State Homeland Security Grants Awarded During\nFiscal Years 2002 and 2003, OIG-06-19, December 2005.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                 15\n\x0cmanagement principles and methodologies to successfully prepare for, respond to, recover from,\nand mitigate acts of terrorism and natural disasters.\n\nDHS management recognizes these challenges. DHS is planning a study to provide a single\ngrants management system for all nondisaster-related grants. In addition, a risk-based grant\nallocation process was completed in FY 2006. DHS risk analysis was a critical component of the\nprocess by which allocations were determined for such programs as the Homeland Security\nGrant Program, Transit Security Grant Program, Port Security Grant Program, and the Buffer\nZone Protection Program.\n\n\nFINANCIAL MANAGEMENT\n\nFinancial management has been a significant challenge for DHS since its creation in 2003. This\nyear, the independent auditors, KPMG LLP (KPMG), under contract with the OIG will be unable\nagain to complete an audit of the DHS consolidated balance sheet and Statement of Custodial\nActivity as of and for the year ended September 30, 2007. In addition, KPMG noted that\nnumerous material weaknesses in internal control continued to exist. However, the majority of\nthe department\xe2\x80\x99s material weaknesses in internal control are attributable to conditions existing at\nthe Coast Guard.\n\nThe material weaknesses in internal control are impediments to obtaining an unqualified opinion\nand have precluded management from giving positive assurance over internal control at the\ndepartment level.8 DHS\xe2\x80\x99 ability to obtain an unqualified audit report and provide assurances that\nits system of internal control is designed and operating effectively, is highly dependent upon\nprocess and procedural improvements at the Coast Guard, Immigration and Customs\nEnforcement (ICE), Transportation Security Administration (TSA), FEMA and OCFO.\n\nTo move forward, DHS must develop a comprehensive financial management strategy that\naddresses organizational resources and capabilities, inconsistent and flawed business processes,\nand unreliable financial systems. In FY 2006, DHS took the initial step in this process by\npreparing comprehensive corrective action plans to address known internal control weaknesses.\nThe corrective actions plans from each component were incorporated into a single management\nstrategy document identified as the Internal Control Over Financial Reporting playbook. The\nDHS CFO, with the support of executive leadership and the involvement of component financial\nmanagement, has aggressively pursued corrective actions throughout FY 2007.\n\nConsequently, during FY 2007, we anticipate that DHS will make progress in addressing some\ninternal control deficiencies. We will perform a series of performance audits later this year,\nwhich are intended to assess the extent of progress and the status of planned corrective actions.\nThese audits will be completed and available early in the second quarter of FY 2008. Further,\nconditions reported as material weaknesses in internal control in previous independent auditor\nreports will be updated and reported in the DHS Performance and Accountability Report,\nsubmitted to the Office of Management and Budget on or before November 15, 2007. The\n\n\n8\n    DHS-OIG, Independent Auditors\' Report on DHS\' FY 2006 Financial Statements, OIG-07-10, November 2006.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                    16\n\x0cindependent auditor report will include specific conditions and recommendations for DHS\nconsideration in updating its corrective actions in FY 2008.\n\n\nINFORMATION TECHNOLOGY MANAGEMENT\n\nIntegrating the information technology (IT) systems, networks, and capabilities of the various\nlegacy agencies to form a single infrastructure for secure, effective communications and\ninformation exchange remains one of DHS\xe2\x80\x99 biggest challenges. There are multiple aspects to\nachieving such an IT infrastructure. For example, creating an adequate capability for relocating\nmission critical information systems to an alternate disaster recovery site in the event of extended\nservice disruptions or emergency is one concern. Implementing a department-wide program that\nensures effective information security controls and addresses IT risks and vulnerabilities is just\nas key. Further, improved IT planning, requirements identification, and analysis will be essential\nnot only to acquire and implement the systems and other technologies needed to streamline\noperations within individual DHS component organizations, but also to support effective\nhomeland security information sharing with state and local governments, the private sector, and\nthe public. Without sound department-wide planning, coordination, and direction, the potential\nfor integrating advanced data mining functionality and capabilities to address homeland security\nissues will remain untapped also. Finally, DHS faces a major challenge in addressing privacy\nconcerns while integrating its myriad systems and infrastructures.\n\nDepartment-wide IT Infrastructure\n\nCreating an adequate disaster recovery capability for DHS\xe2\x80\x99 information systems is a major\nconcern. DHS\xe2\x80\x99 IT infrastructure remains a collection of legacy networks, systems, and data\ncenters. Several elements of this IT infrastructure do not have the ability to relocate to an\nalternate site that can be used if their primary facility suffers an extended outage or becomes\ninaccessible. This inability to restore the functionality of DHS\xe2\x80\x99 critical IT systems following a\nservice disruption or disaster could negatively affect accomplishment of a number of essential\nDHS missions, including passenger screening, grants processing, and controlling the flow of\ngoods across U.S. borders.\n\nDHS has focused on this issue by establishing the National Center for Critical Information\nProcessing and Storage (NCCIPS). The NCCIPS is to provide hosting of departmental\napplications, network connectivity, and critical data storage under the direction of DHS\xe2\x80\x99 Chief\nInformation Officer (CIO). In FY 2007, DHS awarded a contract for a second data center to\nsupplement NCCIPS. DHS listed the second data center as a large, redundant, secure, scalable\ncapability that will provide DHS with sufficient backup, disaster recovery, and continuity of\noperations in an emergency. The NCCIPS and the second data center are to have \xe2\x80\x98active-active\xe2\x80\x99\nprocessing capability to ensure each mission critical system has a complete disaster recovery\ncapability. DHS plans to close 16 existing data centers by moving their processing to the new\nactive-active processing data centers.\n\nDue to a lack of identified funding for migration of systems, DHS has been hindered in its efforts\nto establish the NCCIPS as an alternate processing facility. Specifically, DHS has stated that\nmigration of systems to NCCIPS will be based on availability of funding, not on criticality of the\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                            17\n\x0csystem. Ensuring that the initial funds provided are spent effectively and will enable DHS to\nachieve the desired disaster recovery capability in a timely fashion will involve significant\nresources, oversight, and senior management attention.\n\nSimilarly, upgrading the DHS data communications infrastructure and consolidating the various\norganizations that provide data communications support are major undertakings for DHS.\nCoordinating these related communications upgrade efforts will require significant resources and\noversight. Further, DHS will need to demonstrate how it will achieve the envisioned cost\nsavings. Ensuring that DHS data communications activities remain effective and secure during\nthe upgrade and transition also is a major concern.\n\nSecurity of IT Infrastructure\n\nThe security of IT infrastructure is a major management challenge. As required by the Federal\nInformation Security Management Act (FISMA), the CIO must develop and implement a\ndepartment-wide information security program that ensures the effectiveness of security controls\nover information resources, including its intelligence systems, and addresses the risks and\nvulnerabilities facing DHS\xe2\x80\x99 IT systems.\n\nAs we reported in September 2007, based on its annual FISMA evaluation, excluding its\nintelligence systems, DHS continues to improve and strengthen its security program.9 DHS\nimplemented a performance plan to measure the component\xe2\x80\x99s progress toward full compliance\nwith its information security program. The performance plan tracks key elements indicative of a\nstrong, functioning security program. Despite this oversight, components again are not\nexecuting fully the department\xe2\x80\x99s policies, procedures, and practices. Issues remain with\ncomponent system certification and accreditation, Plans of Action and Milestones, and system\nbaseline configurations. Other information security program areas where weaknesses exist\ninclude security configuration management, incident detection and analysis, and security\ntraining. Management oversight of the component\xe2\x80\x99s implementation of the department\xe2\x80\x99s policies\nand procedures needs to be improved to ensure the quality of the certification and accreditation\nprocess and that all information security weaknesses are tracked and remediated.\n\nIn addition to our FISMA evaluations, during the past year we conducted information security\naudits of DHS laptop computers, performed technical security evaluations at Ronald Reagan\nWashington National Airport and Dulles International Airport, assessed protective measures for\npersonally identifiable information, and evaluated physical and system security at Plum Island.\nWe also reviewed major programs and applications, such as DHS\xe2\x80\x99 implementation of Homeland\nSecurity Presidential Directive (HSPD-12) and the Automated Targeting System. Based on the\nresults of these audits, as well as our FISMA evaluation, and despite continued improvements in\nDHS\xe2\x80\x99 information security program, we determined that DHS organizational components are not\nexecuting all of the department\xe2\x80\x99s policies, procedures, and practices.\n\n\n\n\n9\n    DHS-OIG, Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007, OIG-07-77, September 2007.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                   18\n\x0cFor example:\n\n     \xe2\x80\xa2   All operational systems have not been adequately certified and accredited;\n\n     \xe2\x80\xa2   All components\xe2\x80\x99 information security weaknesses are not included in a Plan of Action\n         and Milestones; and\n\n     \xe2\x80\xa2   Standard configurations have not been fully implemented.\n\nFurther, while DHS has issued substantial guidance designed to create and maintain secure\nsystems, there exist areas where agency-wide information security procedures require\nstrengthening: (1) certification and accreditation; (2) vulnerability testing and remediation;\n(3) contingency plan testing; (4) incident detection, analysis, and reporting; (5) security\nconfigurations; and (6) specialized security training. To address these issues, the CIO must\nidentify ways to improve the review process and increase the accountability of DHS component\norganizations.\n\nAdditionally, DHS is required to protect its intelligence systems. We reported that DHS should\ngrant the Office of Intelligence and Analysis (OI&A) the comprehensive authority to support the\nmanagement, operation, and security of the department\xe2\x80\x99s Sensitive Compartmented Information\nsystems. This authority will strengthen OI&A\xe2\x80\x99s oversight of component compliance with\nFISMA requirements for the data and the information systems that support its intelligence\noperations and assets.\n\nDHS Component IT Management\n\nAlthough improvements have been made, IT management at the subcomponent-level remains a\nmajor challenge, as demonstrated by our audits and subsequent reports on the IT programs and\ninitiatives of selected DHS directorates and organizations. We continued to identify problems\nwith outdated or stove-piped systems, at times supporting inefficient business processes.\nPlanning to modernize IT was unfocused, often with inadequate requirements identification,\nanalysis, and testing to support acquisition and deployment of the systems and other technologies\nneeded to improve operations. We also found consideration of privacy matters to be lacking for\nsome IT programs.\n\nFor example, in November 2006, we reported as part of a follow-up review that U.S. Citizenship\nand Immigration Services (USCIS) had made some progress by placing priority on business\ntransformation, taking steps to centralize authority for IT personnel, initiating business process\nreengineering activities, and upgrading desktops and servers at key field locations.10 However,\nwe found that USCIS would benefit from improvements in centralizing IT operations and\nrefining IT management practices. To be successful, USCIS also must continue to ensure that its\ntransformation strategy as defined is clearly executed. We concluded that until USCIS addresses\nthese issues, the bureau will not be in a position to either effectively manage existing workloads\n\n\n10\n  DHS-OIG, U.S. Citizenship and Immigration Services\xe2\x80\x99 Progress in Modernizing Information Technology, OIG-\n07-11, November 2006.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                 19\n\x0cor handle the potentially dramatic increase in immigration benefits processing workloads that\ncould result from proposed immigration reform legislation.\n\nSimilarly, our December 2006 follow-up assessment of FEMA\xe2\x80\x99s efforts to upgrade its principal\ndisaster management system showed that although the agency has made short-term progress in\naddressing problems in each of these areas, more remains to be done to address long-term\nplanning and systems integration needs. These improvements primarily included increasing the\nNational Emergency Management Information System\xe2\x80\x99s (NEMIS) capacity and online access\nand registration. In addition, FEMA and its program offices specifically addressed our previous\nreport\xe2\x80\x99s recommendations by documenting training resources, developing a plan to implement its\nenterprise architecture (EA), gathering requirements for new business tools, and improving\nconfiguration management.\n\nDespite these positive steps, FEMA had not documented or communicated a strategic direction\nto guide long-term IT investment and system development efforts. FEMA also had not\nperformed crosscutting requirements gathering to determine business needs, which would allow\nits Information Technology Services Division (ITSD) personnel to analyze alternatives to\ncontinued development of the complex, custom NEMIS system. FEMA has challenges to\naccomplishing these tasks, including personnel needs, time limitations, and funding constraints.\nTherefore, constrained by limited resources, FEMA focused its efforts on preparing for the 2006\nhurricane season and made little progress in addressing long-term needs, such as updating\nstrategic plans, defining cross-cutting requirements, and evaluating systems alternatives.\n\nOur reviews of major IT programs and initiatives of various components\xe2\x80\x99 management indicate\nsimilar problems. For example, in June 2007 we reported that a key Science and Technology\n(S&T) data mining program, Analysis, Dissemination, Visualization, Insight, and Semantic\nEnhancement (ADVISE) was at risk, due to a number of factors.11 Specifically, S&T program\nmanagers did not develop a formal business case for the research and development project, in\npart because they were unaware of requirements to do so. In addition, program managers did not\naddress privacy impacts before implementing three pilot initiatives to support ADVISE. Further,\ndue to inadequate data access and system usability, OI&A analysts did not use the ADVISE\npilot. Finally, because S&T did not effectively communicate and coordinate with DHS\nleadership about the benefits of ADVISE, departmental components have been unwilling to\nadopt ADVISE to support their intelligence analysis operations. DHS discontinued the three\nADVISE pilots due to privacy concerns and ultimately announced the termination of the\nADVISE program in September 2007.\n\nIn July 2007 we reported that the National Bio-Surveillance Integration System (NBIS) program\nwas falling short of its objectives.12 Specifically, DHS did not provide consistent leadership and\nstaff support to ensure successful execution of the NBIS program. For various reasons, NBIS\nownership shifted among department organizations numerous times, with corresponding\nfluctuations in the program approach, priority, and accomplishments. NBIS also struggled since\nits inception to secure the staff needed to manage program activities effectively. As a result of\n\n11\n  DHS-OIG, ADVISE Could Support Intelligence Analysis More Effectively, OIG-07-56, June 2007.\n12\n  DHS-OIG, Better Management Needed for the National Bio-Surveillance Integration System Program, OIG-07-\n61, July 2007.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                20\n\x0cthe repeated transitions and staffing shortfalls, planning documents needed to guide IT\ndevelopment were not finalized. Program management did not effectively communicate and\ncoordinate with stakeholders to secure the data, personnel, and information sharing agreements\nneeded to support system development. Additionally, program management did not provide the\ncontractor with adequate guidance, requirements input, or data sources to deliver a fully\nfunctional system. As such, the contractor may not fulfill NBIS capability and schedule\nrequirements, which potentially could result in cost increases to the program.\n\nPrivacy\n\nDHS collects large amounts of information to support its various missions, and much of this\ninformation is personal, and must be protected in accordance with federal statutes governing\nprivacy. As such, DHS faces challenges in ensuring that privacy concerns are addressed\nthroughout the lifecycle of each information system or program. Our reviews of DHS programs\nhave identified instances where DHS\xe2\x80\x99 efforts to meet these challenges are falling short.\n\nSpecifically, following several recent incidents involving the compromise or loss of sensitive\npersonal information, Office of Management and Budget (OMB) issued Memorandum 06-16\nProtection of Sensitive Agency Information on June 23, 2006. The memorandum recommends\nmeasures to compensate for the lack of physical security controls when information is removed\nfrom or accessed from outside the agency location. These measures include (1) verifying the\nadequacy of agency policies and procedures; (2) identifying systems processing Personally\nIdentifiable Information (PII); (3) encrypting data on laptops and mobile computing devices; and\n(4) implementing remote access security and offsite transportation and storage controls.\n\nIn November 2006, we reported on DHS\xe2\x80\x99 implementation of the recommendations set forth in\nOMB Memorandum 06-16. We noted that DHS and its components are in the process of\nimplementing OMB\xe2\x80\x99s recommended security controls for sensitive data and PII. DHS has issued\nupdated policies and procedures to address OMB\xe2\x80\x99s recommendations. Further, DHS is in the\nprocess of identifying PII systems, encrypting laptop computers, and implementing remote\naccess security and offsite transportation and storage controls. Until all systems collecting,\nprocessing, or storing PII are identified, and adequate controls for protecting remote access and\nstorage of PII are implemented, DHS lacks assurance that sensitive data are properly protected.\n\nIn addition, our June 2007 report on ADVISE stated that S&T program management did not\nbegin the privacy impact process until after several pilots for the ADVISE program were already\noperational.13 Federal agencies are required to conduct a Privacy Impact Assessment for each\nnew or substantially changed IT system that collects, maintains, or disseminates personally\nidentifiable information. For its part, the DHS Privacy Office did not know that S&T had\nproceeded with implementation of the ADVISE pilot programs with live data, but without\naddressing privacy matters. In a July 6, 2006, report to the Congress, the Privacy Office stated\nthat the ADVISE tool alone does not perform data mining. However, the report went on to\nexplain that implementation of this system with live data could be considered a data mining tool.\nUnbeknownst to the Privacy Office, the ADVISE pilots had been implemented at least 18\n\n\n13\n     DHS-OIG, ADVISE Could Support Intelligence Analysis More Effectively, OIG-07-56, June 2007.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                           21\n\x0cmonths prior to its July 2006 report. Failure to properly address privacy issues prior to\ndeploying the three pilots had the ultimate effect of bringing the ADVISE program to a halt.\n\nFinally, our July 2007 report on the National Bio-Surveillance Integration System program\n(NBIS) revealed that DHS officials did not effectively coordinate with federal stakeholders to\naddress concerns about the privacy and security of data shared.14 Without NBIS program\nofficials first defining what information NBIS needs, stakeholders had little basis to determine\nwhat information might be released by their agencies.\n\nInformation Sharing\n\nThe Homeland Security Act of 200215 makes coordination of homeland security communication\nwith state and local government authorities, the private sector, and the public a key DHS\nresponsibility. Due to time pressures, DHS did not complete a number of the steps essential to\neffective planning and implementation of the Homeland Security Information Network\n(HSIN)\xe2\x80\x94the sensitive but unclassified system it instituted to help carry out this mission.\n\nAs we reported in June 2006, DHS did not clearly define HSIN\xe2\x80\x99s relationship to existing\ncollaboration systems and also did not obtain and address requirements from all HSIN user\ncommunities in developing the system.16 Further, DHS did not provide adequate user guidance,\nincluding clear information sharing processes, training, and reference materials. Without\nestablishing a baseline and developing specific performance measures, DHS had no effective\nway to track or assess information sharing using HSIN. As of June 2007, DHS\xe2\x80\x99 Office of\nOperations Coordination had taken steps to address our report\xe2\x80\x99s recommendations. Specifically,\nto remedy communication, coordination and system guidance shortfalls, program management\nhas created a HSIN Joint Program Office to develop training initiatives. Also, a Stakeholder\nRelationship Management team was tasked to focus on engagement of stakeholders and\ncommunicating the mission and vision of HSIN. In addition, the Homeland Security Information\nNetwork Work Group was engaged in aligning business processes, coordinating requirements,\nand creating cross-functional governances for HSIN. Lastly, the HSIN Program Manager was\nworking to ensure that performance metrics are established, instituted, and used to determine\nsystem and information sharing effectiveness.\n\nOn a broader scale, DHS is challenged with incorporating data mining into its overall strategy for\nsharing information to help detect and prevent terrorism. Data mining aids agents, investigators,\nand analysts in the discovery of patterns and relationships from vast quantities of data. The\nHomeland Security Act authorizes DHS to use data mining and other tools to access, receive, and\nanalyze information. Our August 2006 report on DHS data mining activities identified various\nstove-piped activities that use limited data mining features.17 For example, CBP performs\nmatching to target high-risk cargo. The U.S. Secret Service automates the evaluation of\ncounterfeit documents. TSA collects tactical information on suspicious activities. ICE detects\n14\n   DHS-OIG, Better Management Needed for the National Bio-Surveillance Integration System Program, OIG-07-\n61, July 2007.\n15\n   P.L. 107-296.\n16\n   DHS-OIG, Homeland Security Information Network Could Support Information Sharing More Effectively, OIG-\n06-38, June 2006.\n17\n   DHS-OIG, Survey of DHS Data Mining Activities, OIG-06-56, August 2006.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                 22\n\x0cand links anomalies indicative of criminal activity to discover relationships. However, without\ndepartment-wide planning, coordination, and direction, the potential for integrating advanced\ndata mining functionality and capabilities to address homeland security issues remains untapped.\n\n\nINFRASTRUCTURE PROTECTION\n\nDHS is responsible for coordinating the national effort to enhance protection of critical\ninfrastructure and key resources (CI/KR) of the United States. Specifically, DHS has direct\nresponsibility for leading, integrating, and coordinating efforts to protect the chemical industry;\ncommercial facilities; dams; emergency services; commercial nuclear reactors, materials, and\nwaste; information technology; telecommunications; postal and shipping; transportation systems;\nand government facilities. In addition, DHS has an oversight role in coordinating the protection\nof CI/KR for which other federal agencies have the primary protection responsibility. Those\nCI/KR include agriculture and food; the defense industrial base; energy; public health and\nhealthcare; national monuments and icons; banking and finance; and water and water treatment\nsystems. Combined with the uncertainty of the terrorist threat and other manmade or natural\ndisasters, the effective implementation of protection efforts is a great challenge.\n\nDHS has numerous CI/KR responsibilities to discharge. After issuing the National Infrastructure\nProtection Plan in June 2006, DHS worked toward completion of specific plans for each critical\ninfrastructure sector. On May 21, 2007, the DHS Secretary approved all 17 sector-specific plans.\nMore work needs to be done in the different sectors. For example, in the chemical sector, DHS\nissued an Interim Final Rule for Chemical Facility Anti-Terrorism Standards in April 2007. The\ndepartment is now completing the rule, ensuring that vulnerability assessments are conducted,\nand fostering the development of site security plans. In the transportation sector, DHS is\nworking to establish a Sector Coordinating Council and implement new statutory requirements.\nIn the agriculture and food sector, we reported that DHS has satisfied most of its basic\nrequirements but still needed to submit an integrated federal food defense budget plan and\nclearly establish assessment standards for use in the food sector.18\n\nThe nation\xe2\x80\x99s CI/KR distribution is enormous and complex. The requirement to rely on the\nprivate sector and federal partners to deter threats, mitigate vulnerabilities, or minimize incident\nconsequences complicates protection efforts for all CI/KR. We reported several opportunities\nfor DHS to improve its engagement of public and private partners.19 DHS also could do more to\nprioritize resources and activities based on risk. To assist in overcoming this great challenge, the\nNational Infrastructure Protection Plan envisions a comprehensive, national inventory of assets,\nknown as the National Asset Database (NADB), to help carry out these responsibilities. A\nmaturing NADB is essential to the development of a comprehensive picture of the nation\xe2\x80\x99s\nCI/KR, as well as to management and resource allocation decision-making. As we reported in\nFY 2006, DHS is improving the development and quality of the NADB.20 DHS also is\n\n18\n   DHS OIG, The Department of Homeland Security\xe2\x80\x99s Role in Food Defense and Critical Infrastructure Protection,\nOIG-07-33, February 2007.\n19\n   DHS OIG, Review of the Buffer Zone Protection Program, OIG-07-59, July 2007; The Department of Homeland\nSecurity\xe2\x80\x99s Role in Food Defense and Critical Infrastructure Protection, OIG-07-33, February 2007.\n20\n   DHS OIG, Progress in Developing the National Asset Database, OIG-06-40, June 2006.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                    23\n\x0cstrengthening its relationships with other responsible federal departments. Standardizing\nvulnerability assessment methodologies, such as the Risk Analysis and Management for Critical\nAsset Protection tool, will also help the department better understand CI/KR.21\n\nWe will continue to monitor and review how DHS coordinates infrastructure protection with\nother sectors, how it uses the NADB to support its risk management framework, and how its\npursuit of basic vulnerability assessment standards can help develop overarching departmental\npriorities.\n\nProtecting the nation\xe2\x80\x99s cyber infrastructure also is a challenge for DHS. Since our last review in\n2004, the National Cyber Security Division has taken actions to further implement The National\nStrategy to Secure Cyberspace that was published by the White House in February 2003. For\nexample, the division has established a fully operational incident handling center (United States\nComputer Emergency Readiness Team). The National Cyber Security Division has put into\naction programs that promote cyber security awareness among the public and private sectors;\nimprove vendor software development and reduce vulnerabilities; develop and promote sound\npractices and standards that enhance cyber security; promote a global culture of security through\ninternational outreach awareness; promote and facilitate the development of adequately trained\nIT professionals; and plan, coordinate, and conduct cyber exercises with the public and private\nsectors to improve cyber security readiness, protection, and incident response capabilities. The\nNational Cyber Security Division has established working groups and participated with public\nand private sector organizations to share information and protect cyberspace and cyber assets.\n\nWhile the National Cyber Security Division has made progress in meeting its mission, it can\nimprove its efforts to secure the nation\xe2\x80\x99s cyber infrastructure. Specifically, the division has not\n(1) established priorities to ensure that its mission-critical tasks supporting its programs are\ncompleted timely; (2) developed enhanced performance measures that can be used to evaluate\neffectiveness in meeting its mission; (3) fully developed its information sharing and\ncommunications programs with the private sector; (4) developed and implemented enhanced\nprocedures to ensure that all known cyber incidents from across the federal government are\nreported.\n\n\nBORDER SECURITY\n\nOne of DHS\xe2\x80\x99 primary missions is to reduce America\xe2\x80\x99s vulnerability to terrorism by controlling\nthe borders of the United States. This mission is shared by a number of agencies within DHS\nand is dependent on the coordinated accomplishment of each agency\xe2\x80\x99s roles as well as, joint\nefforts with other agencies. To this end, DHS created and is implementing a comprehensive\nmulti-year plan to secure the borders and reduce illegal immigration. This plan, called the\nSecure Border Initiative (SBI) orchestrates roles for CBP, ICE, CIS, Coast Guard, and other\ncomponents.\n\n\n\n21\n  DHS OIG, A Review of Homeland Security Activities Along a Segment of the Michigan-Canadian Border, OIG-\n07-68, August 2007.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                24\n\x0cThis plan should address some of the previously reported challenges. For example, last year we\nreported that CBP and ICE continue to experience difficulties in coordinating and integrating\ntheir respective operations.22 More than two years after their creation, CBP and ICE have not\ncome together to form a seamless border enforcement program. Their operations have\nsignificant interdependencies that have created conflict between CBP and ICE. Jurisdictional,\noperational, and communication gaps exist between the two organizations that must be addressed\nby DHS leadership.\n\nOur follow-up review determined that DHS has made significant progress toward improving\ncoordination and interoperability between CBP and ICE. Additional work is needed to: improve\ncommunication between headquarters and field elements; share information and intelligence;\nstrengthen performance measures; and address relational issues among some component\nelements.23\n\nAnother example is the integration of border surveillance technologies. Previously, we reported\nthat border surveillance cameras were not integrated with ground sensors, and sensors are\nplagued by false alarms. We recommended that CBP improve the effectiveness of remote\nsurveillance technology.24\n\nAs previously reported, maintaining a systems approach to addressing the challenge of securing\nour borders is a major challenge as the SBI focus shifts to the DHS components\xe2\x80\x99 implementation\nof the various plans comprising SBI. The major planned efforts under SBI are led by the three\nlead components for immigration and border security.\n\n     \xe2\x80\xa2   ICE leads plans to improve the apprehension, detention, and removal of illegal aliens, and\n         to expand worksite enforcement. Improvements in alien detention and removal efforts\n         require coordinated efforts across DHS and collaboration with the Department of Justice\n         and other agencies sharing responsibility for this function.\n\n     \xe2\x80\xa2   CIS leads plans for a temporary guest worker program; streamlining immigration benefits\n         processes; and expanding the employment verification program. CIS plans to focus on\n         automating and improving processes to (1) increase efficiency, (2) alleviate chronic\n         backlogs in benefit application processing and adjudications, and (3) handle anticipated\n         increases in applicants under proposed expanded guest worker initiatives.\n\n     \xe2\x80\xa2   CBP leads a major investment program to gain control of the borders called SBInet. The\n         SBInet objective is to develop solutions to manage, control, and secure the borders using\n         a mix of technology, infrastructure, personnel, and processes. While SBInet is a new\n         program, it replaces two previous efforts to gain control of the borders: the Integrated\n         Surveillance Intelligence System and the America\xe2\x80\x99s Shield Initiative. CBP awarded a\n\n\n22\n   DHS-OIG, An Assessment of the Proposal to Merge Customs and Border Protection with Immigration and\nCustoms Enforcement, OIG-06-04, November 2005.\n23\n   DHS-OIG, DHS\xe2\x80\x99 Progress in Addressing Coordination Challenges Between Customs and Border Protection and\nImmigration and Custom Enforcement, OIG-07-38, April 2007.\n24\n   DHS-OIG, A Review of Remote Surveillance Technology Along U.S. Land Borders, OIG-06-15, December 2005.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                               25\n\x0c           multiple year systems integration contract in September 2006 to begin the SBInet multi-\n           billion dollar initiative.\n\nWe have monitored the initiation of the SBInet program and provided a risk advisory with\nrecommendations to address observed weaknesses in the program.25 The SBI procurement\npresents a considerable acquisition risk because of its size and scope.\n\nOur main concern about SBInet is that DHS is embarking on this multi-billion dollar acquisition\nproject without having laid the foundation to effectively oversee and assess contractor\nperformance and effectively control cost and schedule. DHS did not properly define, validate,\nand stabilize operational requirements and needs to do so quickly to avoid rework of the\ncontractor\xe2\x80\x99s systems engineering and the attendant waste of resources and delay in\nimplementation. Moreover, until the operational and contract requirements are firm, effective\nperformance management and cost and schedule control is precluded. DHS also needs to move\nquickly to establish the organizational capacity to properly oversee, manage, and execute the\nprogram. In our March 2006 semiannual report, we reported progress in building that capacity\nand we continue to monitor this program and the new acquisition organizations closely.\n\nAdditionally, CBP faces challenges attendant to the rapid build-up of its force structure,\nespecially the significant increases in the number of US Border Patrol Agents. In an effort to\nsecure our nation\xe2\x80\x99s border, President Bush announced in May 2006 that the Border Patrol would\nadd an additional 6,000 agents by the end of 2008. With this rapid expansion came several\nchallenges for the Border Patrol, including recruiting, hiring, and training a sufficient number of\nBorder Patrol agents; providing sufficient vehicles for agents; and ensuring that there are\nadequate facilities to house the number of agents entering on duty. While the Border Patrol has\nmade progress in its expansion efforts, challenges continue to arise in order for the Border Patrol\nto realize its goal over the next 15 months. To improve recruiting, CBP has developed and\nimplemented a strategic plan to meet its recruiting goals. Ensuring hiring process are supported\nby effective and timely background checks remains a concern as delays increase and instances of\nhires subsequently found to be unsuitable occur. In addition, once Border Patrol agents are hired\nand enter on duty, they are required to attend and complete training at the Border Patrol\nAcademy and, once on station, to receive on-the-job training from experienced agents. The\nBorder Patrol is challenged to maintain the quality of training as it changes the curriculum to\naccommodate the flow of students and as the ratio of experienced agents to new recruits\ndecreases. Also, there are experienced agents who have the perception that the Academy has\nrelaxed its standards and is graduating agents that are not well trained to meet the challenge of\nbeing an agent.\n\nAlso, the Border Patrol must ensure that agents have the vehicles necessary to conduct their\nmission. Vehicles used by Border Patrol agents in 2006 exceeded the recommended life for\nabout half the fleet; however, CBP reported that funds were not available to replace vehicles in\nFY 2006. In FY 2007 the budget provided for marginal Border Patrol fleet growth, although\nduring the same period the Border Patrol agent count increased by 25 percent.\n\n\n\n25\n     DHS-OIG, Risk Management Advisory for the SBInet Program Initiation, OIG-07-07, November 2006.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                              26\n\x0cFinally, CBP needs to ensure that that there are adequate facilities to accommodate the increase\nof Border Patrol agents. This includes predicting the location and number of new agents being\ndeployed, building concurrent construction projects, and funding for construction projects. The\nlocation and number of new agents to be deployed are key factors in the planning process.\nAgents are deployed based on operational needs, which can change as the amount and type of\nactivity changes on the border. As agents are redeployed or newly deployed, CBP has to change\nits real estate to accommodate them. One way CBP responds to this challenge is with Rapid\nResponse Projects. CBP currently is building 73 Rapid Response Projects at the same time.\nHowever, building concurrent projects takes a large amount of coordination and communication\nbetween CBP and its various service providers. With so many projects underway at one time,\nCBP may not be able to apply adequate oversight and controls to ensure that schedule, quality,\nand cost requirements are met. We are reviewing the construction of Border Patrol facilities.\n\nOther DHS components share border security responsibilities and are necessarily part of a\ncomprehensive solution to border and immigration control. For example, the US-VISIT Program\nis responsible for developing and fielding DHS\xe2\x80\x99 entry-exit system. It also coordinates the\nintegration of two fingerprint systems: DHS\xe2\x80\x99 Automated Biometric Identification System and\nthe Federal Bureau of Investigation\xe2\x80\x99s Integrated Automated Fingerprint Identification System.\nWhile US-VISIT has some early accomplishments, the tracking of foreign visitors and\nimmigrants still has weaknesses, especially on exit, that should be addressed under a systems\napproach.\n\nDHS also needs to address other weaknesses as part of the comprehensive solution to\nimmigration and border control. For example, CBP needs to fuse the intelligence gathered with\nintelligence requirements to accomplish its priority mission. The CBP mission of preventing\nterrorists and terrorist weapons from entering the United States, while facilitating the flow of\nlegitimate trade and travel is critical. Differentiating between the two requires timely\nintelligence. The ability of CBP to gather intelligence information and distribute it to field\npersonnel has a direct effect on security at our borders. Border security also depends on\ninformation about terrorists kept on various watch lists. The watch lists are managed by several\nfederal agencies. Those agencies and DHS need to coordinate access to the lists to ensure\nvaluable information flows through CBP to field personnel on the line.\n\nWe will continue to maintain an aggressive oversight program for DHS\xe2\x80\x99 border security\ninitiatives to ensure that DHS applies a systems approach and carries out the resultant plans and\nprograms in an economical, efficient, and effective manner.\n\n\nTRANSPORTATION SECURITY\n\nAviation\n\nTSA was created in the wake of the terrorist attacks of September 11, 2001, to strengthen the\nsecurity of the nation\'s transportation systems. The Aviation and Transportation Security Act\n(ATSA),26 established TSA to protect the nation\xe2\x80\x99s transportation system, encompassing aircraft,\n\n26\n     P.L. 107-71, November 19, 2001.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        27\n\x0cships, rail and motor vehicles, airports, seaports, trans-shipment facilities, roads, railways,\nbridges, and pipelines from terrorist attacks and criminal activity. TSA employs approximately\n50,000 people responsible for:\n\n    \xe2\x80\xa2   Ensuring thorough and efficient screening of all aviation passengers and baggage through\n        an appropriate mix of federalized and privatized screeners and technology;\n\n    \xe2\x80\xa2   Promoting confidence through the deployment of Federal Air Marshals to detect, deter,\n        and defeat hostile acts targeting air carriers, airports, passengers, and crews; managing\n        the security risk to the surface transportation systems in partnership with federal, local,\n        and private stakeholders;\n\n    \xe2\x80\xa2   Developing and implementing more efficient, reliable, integrated, and cost effective\n        terrorist related screening programs; and\n\n    \xe2\x80\xa2   Improving organizational effectiveness by expanding capabilities of the workforce to\n        leverage limited resources.\n\nThe size and complexity of the transportation system, which moves millions of passengers and\ntons of freight every day, makes it a difficult system to secure and an attractive target for\nterrorists. The nation\xe2\x80\x99s economy depends upon implementation of effective, yet efficient\ntransportation security measures. However, since its inception, TSA has focused almost all of its\nattention on aviation security.\n\nAs part of its mandate, TSA has had to recruit, assess, hire, train, and deploy Transportation\nSecurity Officers (or TSOs, formerly known as \xe2\x80\x9cscreeners\xe2\x80\x9d) for approximately 450 commercial\nairports, and provide 100 percent screening of all checked luggage for explosives. TSA,\noriginally a part of the Department of Transportation, became part of DHS in March 2003.\nTransportation security management challenges are as follows:\n\nCheckpoint and Checked Baggage Performance\n\nThe ATSA requires TSA to screen or inspect all passengers, goods, and property before entry\ninto the sterile areas of the airport. The OIG has periodically conducted undercover penetration\ntesting to determine to what extent TSA\xe2\x80\x99s policies, procedures, equipment, and supervision\nensure that TSO performance prevents threat items from entry into the sterile area and the\nchecked baggage systems of the nations airports. Through our periodic testing, the OIG has\nassessed whether TSA\xe2\x80\x99s screening policies and procedures are adequate, whether TSOs follow\nthe screening policies and procedures, and whether aviation security screening equipment and\ntechnologies are functioning properly and as intended. Our undercover audits of screener\nperformance revealed that improvements are needed in the screening process to ensure that\ndangerous prohibited items are not being carried into the sterile areas of heavily used airports\nand do not enter the checked baggage system. In past testing, we noted four areas that caused\nmost of the test failures and were in need of improvement: training; equipment and technology;\npolicy and procedures; and management and supervision. TSA agreed with our conclusion that\nsignificant improvements in screener performance will only be possible with the introduction of\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                              28\n\x0cnew technology. During FY 2008, we will release a classified report on our latest penetration\ntesting results, including the effectiveness of TSA\xe2\x80\x99s performance in implementing newer\ntechnologies.\n\nPassenger Air Cargo Security\n\nThe vast and multifaceted air cargo system transports approximately 7,500 tons of cargo on\npassenger planes each day, making air cargo vulnerable to terrorist threats. The Assistant\nSecretary of TSA has primary responsibility for enforcing and implementing all regulations\nrelated to aviation security. TSA enforces statutory and regulatory requirements, disseminates\nthreat-related information, and provides guidance and some funding. TSA relies on the oversight\nand inspections carried out by Aviation Security Inspectors (ASI), who are located at airports\nthroughout the United States. ASIs are responsible for inspecting approximately 285 passenger\nand all-cargo air carriers with about 2,800 cargo facilities nationwide. TSA has approximately\n300 Cargo ASIs, supplemented by 600 Generalist ASIs, responsible for conducting inspections\nof screening activities at approximately 100 airports.\n\nRecent OIG work showed that TSA\xe2\x80\x99s inspection process might not accurately represent the\nextent to which air carriers comply with cargo screening requirements. Additionally, TSA does\nnot provide sufficient resources for air carrier inspection coverage. Therefore, ASIs do not have\nthe capability to monitor cargo screening activities and are unable to report accurately on air\ncarrier compliance. TSA\xe2\x80\x99s compliance database, the Performance and Results Information\nSystem, is ineffective as a tool to monitor and report air carrier compliance with screening\nregulations. In addition, the current level of oversight does not provide assurance that air carriers\nare meeting congressionally mandated goals of tripling the amount of cargo screened for\npassenger aircraft and that air carriers are properly applying exemption rules for cargo screening.\nConsequently, the process increases the opportunities for the carriage of explosives, incendiaries,\nand other dangerous devices on passenger aircraft.\n\nWorkers\xe2\x80\x99 Compensation\n\nThe physical activity required to screen passengers and baggage at the nation\xe2\x80\x99s airports has\nresulted in an inordinate number of injuries for TSA screeners. In FY 2007, the OIG completed\nan audit to determine whether TSA is effectively and aggressively managing its Federal\nEmployees\xe2\x80\x99 Compensation Act (FECA) program to reduce workplace injuries, and minimize lost\nworkdays and FECA-related compensation costs by returning work-capable employees to work\nas soon as possible. We concluded that TSA made substantial progress in improving the\ntimeliness of new injury claims, reducing both the number of workers\xe2\x80\x99 compensation claims and\nlost time associated with workplace injuries. However, TSA must take steps to better manage its\nworkers\xe2\x80\x99 compensation caseload. We identified claimants who were receiving long-term\ncompensation for up to three years despite the fact that medical evidence indicated work\ncapability. We also identified claimants who were not offered limited duty when capable and,\nwhen permanent restrictions existed, not recommended for vocational rehabilitation in a timely\nmanner. As a result, the agency may be paying benefits to individuals who are not entitled to\nthem, and may be at risk of workers\xe2\x80\x99 compensation fraud and abuse. In addition, the agency did\nnot have a process to validate its workers\xe2\x80\x99 compensation chargeback reports. Without reviewing\nits chargeback reports the agency is unable to determine whether the Department of Labor is\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                          29\n\x0caccurately billing the agency and is likely incurring inappropriate or excessive costs at other\nairports nationwide.\n\nWe made 12 recommendations to the Assistant Secretary of the TSA to strengthen the controls\nover its Federal Employees\xe2\x80\x99 Compensation Act program. Recommendations included a re-\nevaluation of long-term cases, more guidance and training for staff, a centralized tracking system\nfor FECA cases, better monitoring of FECA costs, and sharing of safety best practices and\nincentive programs. TSA generally concurred with the recommendations in the report and has\nalready taken steps to address several of them.\n\nEmployee Workplace Issues\n\nA stable, mature, and experienced TSA workforce is the one of the most effective tools the\nagency has to meet its mission. Since 2004, TSA has been sharply criticized by its employees,\nprimarily TSOs, for alleged discrimination, selective hiring practices, nepotism, management\nviolations, and lax oversight. TSA employees have been voicing their concerns about how the\nagency operates by filing discrimination complaints that were significantly higher than its closest\ncompetitors among federal agencies. TSA has faced high attrition rates and low employee\nmorale, which some say is the result of a lack of employee rights and protections. High levels of\nworkplace dissatisfaction among the TSA screener workforce could compromise organizational\nstability and, therefore, the effectiveness of airport security operations. In FY 2008, we will\nissue a report on how effective TSA has been in proactively identifying and addressing employee\nworkplace problems, issues and concerns.\n\nRail And Mass Transit\n\nSurface transportation systems are extremely vulnerable to terrorist attack, as evidenced by the\nattacks on passenger rail facilities in Madrid, London, and India. Passenger rail, bus, highway,\nand ferry systems are inherently difficult to secure in the United States because of their open\naccessibility (typically, many entry and exit points), high ridership (nearly 9 billion transit trips\nper year on buses and subways), and extensive infrastructure (roughly 11,000 track miles of\ntransit rail and 3000 stations, 3.8 million miles of roads nationwide, and more than 600,000\nbridges and tunnels). While the majority of mass transit systems in the nation are owned and\noperated by state and local governments and private industry, securing these systems is a shared\nresponsibility among federal, state, and local partners. More robust information exchange, threat\ndetection, and preparedness measures must be undertaken to ensure the security and resilience of\nthe surface transportation system.\n\nThe Transportation Sector Specific Plan that DHS published in May 2007 brings together\nfederal, state, and local government partners and regional mass transit stakeholders to create a \xe2\x80\x9ca\nsecure, resilient transit system that leverages public awareness, technology, and layered security\nprograms while maintaining the efficient flow of passengers.\xe2\x80\x9d27 Nevertheless, the task of\nprioritizing and securing surface transportation is daunting. DHS has made millions of dollars\navailable through the Transportation Security Grant Program, Homeland Security Grant\nProgram, Trucking Industry Security Grant Program, Urban Area Security Initiative, and other\n\n27\n     DHS, Transportation Sector-Specific Plan: Mass Transit Modal Annex, May 21, 2007 (page 3).\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                          30\n\x0cfunding methods. For rail and public transit safety grant programs in particular, the Congress\nprovided $275 million in FY 2007, and FY 2008 funds may exceed $400 million. Other DHS\nprograms include the Surface Transportation Security Inspection Program, in which TSA\nemploys inspectors who assess a transit system\xe2\x80\x99s security posture and act as local liaisons.\nAdditionally, TSA trains and deploys supplemental security manpower for high-risk transit\nsystems through Visual Intermodal Protection and Response Teams and provides free explosive\ndetection canines for transit systems through its Canine Program. DHS also develops and tests\nnew technologies, such as more effective chemical and explosive detection equipment, mobile\nsecurity checkpoints, and video surveillance systems.\n\nWe are reviewing DHS actions to improve passenger rail security on subway and commuter rail\nsystems through various TSA programs, assessing how well these programs intersect with\nfederally funded programs operated at the local level. We are examining the impact that the\nfederal grants and policies have on local transit authorities. We also are reviewing the\neffectiveness of the trucking industry security grant program.\n\n\nTRADE OPERATIONS AND SECURITY\n\nTrade operations and security primarily are the responsibility of CBP, although USCG and ICE\nalso play important support roles. CBP has the counterbalancing missions of facilitating\nlegitimate trade and enforcing the laws associated with trade and border controls. CBP has the\nchallenge of interdicting smuggling and stopping other illegal activities, that benefit terrorists\nand their supporters. In a typical year, CBP processes millions of sea containers, semi-tractor\ntrailers, rail cars, and tons of bulk cargo and liquids, such as chemicals, crude oil, and petroleum\nproducts. CBP also processes or reviews all of the personnel associated with moving this cargo\nacross U.S. borders or to U.S. seaports.\n\nCBP has implemented a number of initiatives to accomplish this objective such as the Container\nSecurity Initiative, and Customs-Trade Partnership Against Terrorism (C-TPAT). CSI works\nwith foreign allies and partners to screen and examine containerized cargo at overseas ports\nbefore it is loaded on ships bound for the U.S. The initiative calls for the increased use of non-\nintrusive technology to inspect this cargo both overseas and at U.S. ports. Within C-TPAT, CBP\nworks with trade representatives to develop and implement processes and systems to help secure\nthe supply chain. CBP uses targeting systems to assist in identifying the highest risk cargo on\nwhich to focus its limited resources. Other initiatives include the Secure Freight Initiative, a\ncomprehensive model for improving global supply chain security while keeping legitimate trade\nflowing. Officially launched on December 7, 2006, it is designed to leverage information,\nforeign government and commercial partnerships, plus the latest technology to reduce the risk of\nterrorism.\n\nIn support of its trade mission, CBP is undertaking an extensive and long-term effort to develop\na new system, Automated Commercial Environment (ACE), to replace older, less effective, and\nless capable trade processing systems. The ACE Release 4 provides an electronic truck manifest,\nscreens for CBP officers\xe2\x80\x99 use, and expedited importation processing. In our 2007 audit, we\nreported that generally, problems referred to the ACE help desk were resolved effectively.\nHowever, CBP did not detect and resolve some operational problems that occurred at the ports\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                          31\n\x0cand did not provide adequate communication and guidance to the ports. We recommended that\nCBP develop procedures to monitor post-deployment operations and communicate ACE\nproblems, operational fixes, and system changes to CBP Officers at the ports in a timely\nmanner.28\n\nThe Automated Targeting System (ATS) helps CBP identify high-risk cargo for inspection. In\n2005, we reported concerns about the data to which ATS targeting rules are applied, the use of\nexamination results to refine ATS targeting rules, and physical controls over cargo containers\ntargeted for examination.29 In our second ATS report, issued in November 2006, we reported\nthat CBP did not fully utilize other sources of intelligence information available and that national\nATS performance measures were still being developed for determining the effectiveness of the\nATS. Furthermore, we found that additional guidance for inspection of shipments with elevated\nATS scores was needed.30\n\nIn 2007, we reported that CBP was not consistently using entry data for all shipments, resulting\nin some high-risk containers being allowed to leave ports without mandatory examinations.\nFurther, flaws in the Cargo Enforcement Reporting and Tracking System may result in improper\ncontainer releases, and CBP had not automated its integration of examination findings into ATS.\nFinally, some ports needed to improve controls over high-security bolt seals. CBP concurred\nwith all of the recommendations and subsequent to the end of our fieldwork, took actions to\nimprove procedures for preventing containers from leaving the ports without the required\nexaminations.31\n\nIn the export arena, our audit concluded that outbound shipments are not consistently targeted\nand inspected by CBP officers at the ports for compliance with federal export laws and\nregulations. As a result, shipments could be exported that violate laws and regulations. We\nmade several recommendations to help CBP ensure trade adherence with federal export laws and\nregulations.32\n\nThe Coast Guard is the lead DHS agency for maritime homeland security and is responsible for\ndeveloping and implementing a comprehensive National Maritime Transportation Security Plan\nto deter and respond to transportation security incidents. The marine areas under U.S.\njurisdiction cover 3.5 million square miles of ocean, 95,000 miles of coastline, and 26,000 miles\nof commercial waters serving 361 domestic ports. These activities account for two billion tons\nand $800 billion of domestic and international freight annually. Approximately 8,000 foreign\nvessels, manned by 200,000 foreign sailors, make more than 50,000 ship visits to U.S. ports each\nyear. This, too, is a daunting management challenge.\n\nTo implement the Maritime Transportation Security Act of 2002 in a timely and effective\nmanner, Coast Guard must balance the resources devoted to the performance of homeland and\nnon-homeland security missions; improve the performance of its homeland security missions;\n28\n   DHS-OIG, ACE Release 4 Post-Deployment Problems, OIG-07-54, June 2007.\n29\n   DHS-OIG, Audit of Targeting Oceangoing Cargo Containers (Unclassified Summary), OIG-05-26, July 2005.\n30\n   DHS-OIG, Audit of Targeting Oceangoing Cargo Containers (Unclassified Summary), OIG-07-09, November\n2006.\n31\n   DHS-OIG, Targeting Oceangoing Cargo Containers 2007(Unclassified Summary), OIG-07-72, August 2007.\n32\n   DHS-OIG, Audit of CBP Export Control Activities (Unclassified Summary), OIG-07-76, September 2007.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                   32\n\x0cmaintain and re-capitalize Coast Guard\xe2\x80\x99s Deepwater fleet of aircraft, cutters, and small boats;\nrestore the readiness of small boat stations to perform their search and rescue missions; and\nincrease the number and quality of resource hours devoted to non-homeland security missions.\nFor example, while overall resource hours devoted to Coast Guard\xe2\x80\x99s homeland security missions\ngrew steadily from FY 2001 through FY 2004 and decreased marginally in FY 2005 and\nFY 2006. The Coast Guard continues to experience difficulty meeting its performance goals for\nhomeland security missions.33\n\n\n\n\n33\n     DHS-OIG, Annual Review of Mission Performance, United States Coast Guard (FY 2005), OIG-06-50, July 2006.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                                   33\n\x0c Management\xe2\x80\x99s Response to Major\n Management Challenges Facing the\n Department of Homeland Security\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report   34\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nManagement\xe2\x80\x99s Response to Major Management Challenges Facing\nthe Department of Homeland Security\nThe Reports Consolidation Act of 2000 requires that the Department include a statement by the\nInspector General that summarizes the most serious management and performance challenges\nfacing the Department and briefly assesses the progress in addressing those challenges. The\nOffice of Inspector General (OIG) considers the most serious management and performance\nchallenges to the Department to be in the following areas:\n\n    \xe2\x80\xa2   Catastrophic Disaster Response and Recovery;\n    \xe2\x80\xa2   Acquisition Management;\n    \xe2\x80\xa2   Grants Management;\n    \xe2\x80\xa2   Financial Management;\n    \xe2\x80\xa2   Information Technology Management;\n    \xe2\x80\xa2   Infrastructure Protection;\n    \xe2\x80\xa2   Border Security;\n    \xe2\x80\xa2   Transportation Security; and\n    \xe2\x80\xa2   Trade Operations and Security.\nIn addition to the OIG report on management challenges, in their biennial High-Risk Series, the\nGovernment Accountability Office (GAO) identifies federal programs and operations that are\nhigh-risk due to their greater vulnerabilities to fraud, waste, abuse and mismanagement. In\nrecent years, GAO has also identified high-risk areas to focus on the need for broad-based\ntransformations to address major economy, efficiency, or effectiveness challenges. Four of these\nareas fall within the Department\xe2\x80\x99s purview. The areas and the year the issue was identified are\nlisted below. The GAO maintains these issues in their High-Risk Series until satisfied that\nacceptable progress has been made to correct the issues.\n    \xe2\x80\xa2   Protecting the Federal Government\xe2\x80\x99s Information Systems and the Nation\xe2\x80\x99s Critical\n        Infrastructures (1997);\n    \xe2\x80\xa2   Implementing and Transforming the Department of Homeland Security (2003);\n    \xe2\x80\xa2   Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve\n        Homeland Security (2005); and\n    \xe2\x80\xa2   National Flood Insurance Program (2006).\nThe Department of Homeland Security has steadfastly worked to resolve the challenges\nidentified in the Inspector General\xe2\x80\x99s FY 2007 report and the GAO High-Risk Series. The\nDepartment will continue to address the unresolved challenges, many of which may require\nseveral years to completely address due to the complexity of the challenge. The following\nhighlights the accomplishments of the Department during FY 2007, and details some of the\nremaining plans to be completed to overcome these challenges.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        35\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nFY 2007 Challenge 1: Catastrophic Disaster Response and Recovery\nSummary of 2007 Challenge: OIG noted that the Department\xe2\x80\x99s failures after Hurricane Katrina\nilluminated a number of issues, including questionable leadership decisions and capabilities,\norganizational failures, overwhelmed response, communications systems, and inadequate\nstatutory authorities. Coordination of disaster response efforts, catastrophic planning, logistics,\nacquisitions, housing, and evacuation were among the problem areas cited by the OIG.\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   Operational planning is a core competency of the new FEMA. To strengthen our\n        response capabilities, operational planners have been hired at FEMA headquarters to\n        provide the ability to perform sophisticated operational analyses, analyze trends, and\n        improve planning for the response to ongoing and future events. Planners are also being\n        hired for the Regions to provide this same capability. With the new staff, there is now\n        greater depth and capability to prepare operational plans and conduct crisis action\n        planning to ensure that the agency can lead and support a national all-hazard emergency\n        management response.\n    \xe2\x80\xa2   Under a Gap Analysis Initiative rolled out by FEMA this past spring, a Gap Analysis tool\n        was developed in coordination with the State of New York Emergency Management\n        Office/New York City Office of Emergency Management, and implemented to provide\n        FEMA and its partners at both the State and local levels in the hurricane prone regions of\n        the country a snapshot of asset gaps. Seven critical areas were incorporated in the initial\n        application of the Gap Analysis tool for review: debris removal, commodity distribution,\n        evacuation, sheltering, interim housing, medical needs, and fuel capacity along\n        evacuation routes. Gap Analysis discussions provided an opportunity for local\n        jurisdictions to ask specific questions of Federal and State officials and identify issues of\n        critical concern to help long-term preparedness activities. Although the initial use of this\n        very successful concept was utilized for the 2007 hurricane season, this process will be\n        expanded to cover all hazards and applied nationwide in FY 2008.\n    \xe2\x80\xa2   FEMA has instituted a major Catastrophic Disaster Planning Initiative that will improve\n        response capabilities and complement the National Response Plan/Framework\n        (NRP/NRF), National Incident Management System (NIMS), and Federal, State, and\n        local planning activities. This initiative addresses both notice and no-notice events, and\n        reflects the considerable measures that DHS and FEMA and its Federal, State, and local\n        partners have taken to ensure appropriate, quick, effective, and efficient response and\n        recovery to protect the health, safety, and well-being of the population and, to the extent\n        possible, restore the infrastructure following a catastrophic event. FEMA\xe2\x80\x99s Catastrophic\n        Disaster Response Planning Initiatives are currently focused on four specific geographic\n        areas: southeast Louisiana, the eight states in the New Madrid Seismic Zone (NMSZ), the\n        State of Florida, and the State of California.\n    \xe2\x80\xa2   A Mass Evacuation Incident Annex has been developed to describe in more detail\n        evacuation functions and agency roles and responsibilities in mass evacuations. It\n        provides guidelines for evacuating large numbers of people in incidents requiring a\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                          36\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        coordinated Federal response through the NRP/NRF Emergency Support Functions, and\n        describes how Federal resources are integrated into State, local, and tribal support. In\n        addition to the Mass Evacuation Incident Annex, FEMA is also working on developing\n        an Incident Supplement to the Annex that will provide specifics regarding how and by\n        whom many of the responsibilities outlined in the Annex will be accomplished. Issues\n        such as evacuee registration and companion animal sheltering will also be addressed.\n    \xe2\x80\xa2   FEMA has also developed a new and robust Office of Acquisition Management. Staffing\n        has dramatically increased, from 98 in 2006 to 221 at the present, an increase of\n        123 acquisition personnel positions. Approximately 90 percent of acquisition positions\n        are filled. The Office has been reorganized into three core branches for greater efficiency\n        of operations.\n    \xe2\x80\xa2   Other acquisition accomplishments:\n            o Developed a Disaster Response Training Course which is required for all\n                 acquisition personnel at HQ and in the Regions who will be deployed at a\n                 disaster.\n            o Issued an Emergency Acquisition Field Guide to assist non-contracting personnel\n                 in effectively and appropriately contracting for goods and services in an\n                 emergency situation.\n            o Established a Contracting Officer Technical Representative (COTR) Training\n                 Program.\n            o Pre-positioned agreements have been established by determining what types of\n                 goods and services are traditionally utilized in a disaster. This ensures industry\n                 contracts are competitive and have a reasonable price and allows for a more\n                 responsive industry focus ensuring quick mobilization. Prior to Hurricane\n                 Katrina, there were nine contracts in place. There are currently 40 contracts pre-\n                 positioned for use in a disaster.\n\nRemaining Plans\n\n    \xe2\x80\xa2   FEMA plans to continue its aggressive staffing policies by filling vacant positions and\n        maintaining high staffing levels and succession planning. Training will also be a key\n        element. The Disaster Training Course and Emergency Acquisition Field Guide will be\n        updated as necessary. All acquisition personnel will be given training and course\n        changes and updates will be made via the Virtual Acquisition Office. COTR training will\n        also be emphasized. FEMA will ensure that the COTR Training program remains current\n        by hosting refresher courses as necessary and implementing a tiered COTR certification\n        program in order to better match COTR competencies to contract complexity.\n    \xe2\x80\xa2   FEMA plans to implement the DHS-standard (PRISM) contracting writing system which\n        will provide FEMA\xe2\x80\x99s Office of Acquisition Management with\n            o better workload tracking,\n            o more consistent and accurate reporting,\n            o improved contract writing and overall management, and\n            o enhanced and more efficient use of other Federal acquisition personnel as\n                approximately 64 percent of Federal agencies use this application.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        37\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   FEMA also plans to develop contract administration procedures for cost and schedule\n        oversight for other national procurements.\n    \xe2\x80\xa2   FEMA will develop and roll out the capability for long-term recovery planning at the\n        operational Joint Field Office level.\n\n\n\nFY 2007 Challenge 2: Acquisition Management\nSummary of 2007 Challenge: OIG commented that DHS tends to focus its strategies on the\nurgency of meeting mission needs, rather than balancing urgency with good business practices,\nleaving the Department vulnerable to spending millions of dollars on unproductive investments.\nCommon themes and risks include the dominant influence of expediency, poorly defined\nrequirements, and inadequate oversight, which can contribute to ineffective or inefficient results\nand increased costs. Of specific concern is the USCG\xe2\x80\x99s Deepwater program and CBP\xe2\x80\x99s Secure\nBorder Initiative Network (SBInet).\n\nOffice of the Chief Procurement Officer (OCPO)\n\n2007 Accomplishments\n\n    Acquisition Policy & Legislation (APL)\n    \xe2\x80\xa2 OCPO Acquisition Policy Board - OCPO stood up the OCPO Acquisition Policy Board.\n       The Board\xe2\x80\x99s membership consists of each Component\xe2\x80\x99s Head of the Contracting Agency\n       (HCA) Policy chiefs as well as a member of OCPO\xe2\x80\x99s Oversight staff. The purpose of the\n       Board is both to disseminate Department-wide acquisition policy information, as well as\n       foster dialog between Component staff members.\n    \xe2\x80\xa2 Performance-Based Acquisition (PBA) - DHS OCPO has for much of the year been\n       actively engaged in the Office of Federal Procurement Policy\xe2\x80\x99s (OFPP\xe2\x80\x99s) PBA\n       Interagency Working Group. The Group has worked to enhance OFPP\xe2\x80\x99s PBA Seven\n       Steps Guidance and make available appropriate samples tailored to Component needs.\n       Additionally, OCPO Oversight has begun during its Component reviews to check\n       acquisitions coded in the Federal Procurement Data System (FPDS) as performance-\n       based to verify if the contracts are in-fact performance-based. PBA was also one of the\n       very first Excellence in Contracting training topics.\n    \xe2\x80\xa2 Federal Acquisition Regulation (FAR) Cases \xe2\x80\x93 Through its representation on the Civilian\n       Agency Acquisition Council, OCPO is very engaged in all regulatory changes to the\n       FAR. OCPO\xe2\x80\x99s active involvement ensures that the balance between good business\n       decisions and urgency is a consideration when government-wide acquisition regulations\n       are promulgated.\n    \xe2\x80\xa2 Policy Guidance on Service Contracts \xe2\x80\x93 Because DHS utilizes a substantial amount of\n       services contracting, the Chief Procurement Officer issued a memo to Components which\n       reminded acquisition professionals of the range of types of services contracting and\n       certain restrictions that apply to each.\n    \xe2\x80\xa2 Source Selection Guide \xe2\x80\x93 During FY 2007, OCPO issued a Source Selection Guide that\n       provides extensive guidance on conducting formal source selections under FAR Part 15\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        38\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        designed to improve effectiveness in the acquisition process without sacrificing\n        efficiency.\n    \xe2\x80\xa2   Improving Competition \xe2\x80\x93 OCPO held a Competition Advocates meeting to review DHS\n        achievements and stress the importance of improving upon those achievements;\n        established a Competition Award to recognize significant achievement in strengthening\n        competition; issued an Acquisition Alert spearheading an initiative for Components to\n        correct existing records; and began a systematic review of FedBizOpps sole source\n        announcements to ensure that authorities are being appropriately used.\n    \xe2\x80\xa2   Interagency Acquisition (IAA) \xe2\x80\x93 OCPO sees IAAs as an area of risk and therefore has\n        been an active member of OFPP\xe2\x80\x99s Interagency Working Group crafting the first\n        government-wide comprehensive guidance on IAA in accordance with the Services\n        Acquisition Reform Act Panel\xe2\x80\x99s recommendations. OCPO is working to ensure that the\n        final product meets our needs.\n    \xe2\x80\xa2   Emergency Acquisition Flexibilities Guide \xe2\x80\x93 OCPO coordinated comments from\n        Components on the draft OMB guide that was published in May 2007. Use of the Guide\n        during emergency situations will enhance the Department\xe2\x80\x99s ability to complete\n        acquisitions in a timely manner.\n    \xe2\x80\xa2   Suspension & Debarment \xe2\x80\x93 OCPO participates on the Interagency Suspension and\n        Debarment Committee (ISDC) established by Executive Order 12549. ISDC issues\n        regulations with government-wide criteria for procurement and non-procurement\n        programs, facilitates lead agency coordination, and serves as a forum to discuss current\n        suspension. As a result of a July 18, 2007 Congressional hearing on responsibility issues,\n        OCPO\xe2\x80\x99s Acquisition Policy and Legislation branch (APL) compiled an extensive list of\n        Federal Government Business Systems, other public sector, nongovernmental or\n        State/city systems or entities regarding business information that may be used as a source\n        of information. APL is also participating in the discussion and analysis of an ongoing\n        ISDC Information Sharing project in response to GAO\xe2\x80\x99s study (July 2005) on six Federal\n        agencies which included management of \xe2\x80\x9cadministrative agreements\xe2\x80\x9d and \xe2\x80\x9ccompelling\n        reasons determinations\xe2\x80\x9d to continue performance.\n\n    Acquisition Oversight\n    \xe2\x80\xa2 DHS issued Management Directive 0784 formally initiating a DHS wide acquisition\n       oversight program. Under this program DHS in partnership with Component leaders\n       manage the DHS acquisition function. To date, the acquisition organizations have\n       performed a self assessment and have begun to report key metrics on a quarterly basis.\n       These metrics facilitate internal management and provide a verification mechanism to\n       ensure that data available to external organizations is accurate and complete. Currently\n       each of the acquisition organizations is undergoing a baseline review of the human\n       resources capacity, adherence to policies and procedures, and status of IT systems to\n       facilitate acquisitions and integration with financial systems. To date, OCPO has\n       completed the baseline reviews of four Components and scheduled the remainder of\n       reviews for FY 2008.\n    \xe2\x80\xa2 Acquisition Oversight conducts special reviews of specific high-risk acquisitions\n       assessing all aspects of the acquisition in support of DHS\xe2\x80\x99 mission and provides a risk\n       analysis and recommends improvements for the instant acquisition. Where applicable the\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       39\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        review also recommends systemic changes, revised policies, or improved training to\n        reduce risk for future acquisitions.\n    \xe2\x80\xa2   With respect to improving the management of service contracts, DHS conducted training\n        and additional oversight of service contracts to ensure compliance with Federal\n        regulations and procured services were provided. OCPO has internal capability to\n        monitor and investigate high-risk contracts to provide DHS with additional ability to\n        manage and control.\n\n    Acquisition Systems\n    \xe2\x80\xa2 Enterprise PRISM Instance (EPI) \xe2\x80\x93 DHS assumed control of the firewall, thereby\n       strengthening the system security. Several on-going efforts to improve internal business\n       processes and controls and increase the use of PRISM functionality are underway.\n       Several examples follow. Because EPI is not presently interfaced to the accounting\n       system, in partnership with the Finance and Program Offices, processes have been\n       instituted to prevent inconsistent recording of contract obligations in the finance system.\n       Workshops are being conducted to improve user efficiency and to identify areas for\n       improvement. Reports are being utilized to ensure that PRISM transactions are accurate\n       and complete. Training documentation has been customized to implement best practices\n       and to marry policy with system functionality.\n    \xe2\x80\xa2 Enterprise Acquisition System Initiative (EASI) - The consolidation effort of Component\n       contract writing and management systems continues to make progress. In FY 2007 work\n       began on the interface between EPI and FEMA\xe2\x80\x99s financial system.\n    \xe2\x80\xa2 Federal Procurement Data System-Next Generation (FPDS-NG) - Verification and\n       Validation Plan was developed along with additional HSAM policy to improve timeliness\n       and accuracy of reported data. DHS representatives are participating in the FPDS-NG\n       Change Control Board and User Group to continuously improve procurement reporting.\n    \xe2\x80\xa2 Acquisition Systems Governance Board (ASGB) \xe2\x80\x93 This is a DHS-wide community of\n       practice which meets on a regular basis to share leading practices and lessons learned on\n       DHS Shared eAcquisition Systems. ASGB provides input to the Department in\n       developing strategies for new automation products and services which support the\n       acquisition function.\n\n    Strategic Sourcing Program\n       \xe2\x80\xa2 In FY 2007, the DHS Strategic Sourcing Program (SSP) continued to leverage\n           leading practices to optimize its program and ensure continued support for DHS\xe2\x80\x99\n           commodity councils and for Component specific business efforts. Positive results in\n           price reductions, cost avoidances, and socioeconomic participation continued to be\n           impressive, with the following delivered:\n\n            o Cost Avoidance - Achieved $99,252,306 in Price Reductions and $690,714 in\n              Cost Avoidances. These results were achieved by multiple initiatives across eight\n              of DHS\xe2\x80\x99 14 commodity councils;\n            o Deliveries - Delivered eight distinct strategically sourced vehicles that will\n              potentially place billions of dollars with small business while meeting the\n              stringent operational requirements of DHS\xe2\x80\x99 end-users; and\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       40\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n            o Performance Measures - Implemented various performance measures, in addition\n              to price reductions and cost avoidances, to gauge the success of its programs.\n              Representative performance measures that were utilized during FY 2007 included\n              reduced downtime, total costs for maintenance moves and installation reductions,\n              and awards, recognition, and customer satisfaction surveys.\n\n    Program Management\n    \xe2\x80\xa2 OCPO has reorganized to include a Program Management SES-level directorate to\n       develop and disseminate policy on program management to DHS Components.\n    \xe2\x80\xa2 Additional certified program managers (PM) are now on board as a result of various DHS\n       PM training programs, totaling 237 certified program managers since December 2006.\n       This is a 53 percent increase in the past nine months.\n    \xe2\x80\xa2 Additionally, in September 2007, a Memorandum of Agreement (MOA) was signed\n       between the DoD and DHS. This strategic relationship enables DHS to take direct\n       advantage of the Defense Acquisition University\xe2\x80\x99s acquisition, technology and logistics\n       expertise in training, consulting, knowledge sharing, continuous learning, career\n       workforce planning, and management services.\n    \xe2\x80\xa2 One of the Chief Procurement Officer\xe2\x80\x99s top priorities is to build a strong acquisition\n       system, with the right people, in DHS. OCPO is doing that through initiatives such as\n       building standards for all acquisition professionals in DHS, installing a metrics system to\n       measure cost, schedule and performance of major programs, and redesigning the\n       investment review process, as examples. OCPO is also hiring experts in various\n       acquisition career fields to build those competencies and systems throughout DHS.\n       OCPO already has several program managers, cost estimators, Testing & Evaluation\n       personnel, and a logistician at present.\n    \xe2\x80\xa2 OCPO initiated program reviews on designated Level 1 investments, to strengthen the\n       investment review process and provide greater independent analysis in an effort to\n       mitigate risk. These reviews are scheduled for completion in first quarter FY 2008, with\n       more extensive reviews as needed. This initiative is a three-prong approach in helping to\n       identify and mitigate high-risk areas, provide a mechanism for sharing best practices, and\n       promulgate policies and processes, as well as identify competencies gaps/training needs.\n    \xe2\x80\xa2 Additionally, OCPO uses the Program Management Council, co-chaired by an\n       operational program manager and the CPO, as a Department-wide forum for involvement\n       as DHS builds acquisition expertise.\n\n\n    Acquisition Workforce\n    \xe2\x80\xa2 Established framework for a developmental program to bring in up to 60 entry level\n       positions in the 1102 career field, train the interns and provide broad experience across\n       DHS to assist in closing the gap in contracting career field vacancies.\n    \xe2\x80\xa2 Improved certification process for the three current acquisition career fields within DHS\n       Program Managers, Contracting Officer Technical Representatives, and Contract\n       Specialists.\n    \xe2\x80\xa2 Participated in Government-wide emergency contracting working group to identify a\n       cadre of specially trained contracting officers to provide support in catastrophic\n       emergencies.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       41\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Established and managed training for the 1102 career field within DHS. Conducted one\n        hour DHS wide training sessions to address specific acquisition issues and immediately\n        address gaps in training or acquisition processes.\n\n    Office of Small and Disadvantaged Business Utilization\n    \xe2\x80\xa2 Met OCPO\xe2\x80\x99s goal of making good business deals and supporting public policy objectives\n       such as the Federal small business program. The U.S. Small Business Administration\n       recently recognized DHS in their first annual small business scorecard with a score of\n       green, one of only seven out of 24 Federal departments to receive a green score.\n\nRemaining Plans\n\n    Acquisition Policy & Legislation\n    \xe2\x80\xa2 Emergency Procurement Tool Box/Framework \xe2\x80\x93 OCPO is currently working an initiative\n       with FEMA to develop a framework in order to be able to expedite the acquisition\n       function in the event of a significant national emergency, per the National Response Plan.\n    \xe2\x80\xa2 Kaizen Event on Interagency Contracting - In conjunction with active participation in\n       OFPP\xe2\x80\x99s Working Group developing a Government-wide Guide on Interagency\n       Acquisition, OCPO is sponsoring and leading a Lean Six Sigma Kaizen event for the\n       purpose of developing a Management Directive on Interagency Acquisition for the\n       Department.\n    \xe2\x80\xa2 Price Fighters Memorandum of Understanding (MOU) \xe2\x80\x93 OCPO is negotiating an MOU\n       with Navy Inventory Control Point (NAVICP) to provide cost and pricing support for\n       major Department acquisitions.\n    \xe2\x80\xa2 Updating HSAM and/or Management Directive Guidance \xe2\x80\x93 seven documents are being\n       developed.\n    \xe2\x80\xa2 Electronic HSAR/HSAM - OCPO Acquisition Policy is engaged in integrating the HSAR\n       and HSAM into a single electronic document to assist Component operational personnel\n       with research Department acquisition policy. Future plans include providing links within\n       the body of the revised HSAR/HSAM document to other applicable documents (e.g.,\n       memos, directives, training slides, etc.) to enable \xe2\x80\x9cone-stop shopping.\xe2\x80\x9d\n    \xe2\x80\xa2 Homeland Security Acquisition Regulation (HSAR) Cases \xe2\x80\x93 OCPO is engaged in\n       developing seven DHS-only acquisition regulations.\n    \xe2\x80\xa2 E-Verify \xe2\x80\x93 Crafted a Federal Acquisition Regulation rule to require Federal contractors to\n       verify the employment eligibility of their employees. OMB approved going forward.\n       The FAR change is currently in process. This is a major step in increased enforcement of\n       ensuring only eligible persons work in the United States.\n    \xe2\x80\xa2 Time and Material (T&M) Contracts \xe2\x80\x93 OCPO is developing guidance on the use of T&M\n       in response to recent changes in Government-wide T&M policy.\n    \xe2\x80\xa2 Competition \xe2\x80\x93 Various activities for improving the level of competition are currently in\n       process.\n    \xe2\x80\xa2 Contract Funding Guidance \xe2\x80\x93 Guidance on contract funding is currently in review. It\n       discusses FAR contract funding policies and clauses to assist Contracting Officers in\n       developing effective strategies that afford the maximum benefit to DHS contracts and\n       programs.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       42\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Blended Workforce Initiative- Discussions are underway regarding the development of a\n        reporting system to obtain information from contractors on the types and amounts of\n        contracted labor being performed under DHS\xe2\x80\x99 services contracts for the purpose of\n        enabling DHS to better manage use of contractors performing functions on behalf of\n        DHS.\n    \xe2\x80\xa2   Acquisition Guidelines \xe2\x80\x93 APL plans to develop new form of communicating with\n        Components to provide timely \xe2\x80\x9chow to\xe2\x80\x9d and interpretive guidance. This will be a series\n        of \xe2\x80\x9cAcquisition Guidelines\xe2\x80\x9d that will be published on the web and will be linked to and\n        from various HSAR/HSAM policies.\n\n    Acquisition Oversight\n    \xe2\x80\xa2 Of the eight full acquisition organizations, four baseline onsite acquisition reviews are\n       physically complete. The remaining four have been scheduled and will be completed by\n       October 2008.\n    \xe2\x80\xa2 Review of the full role of acquisition oversight.\n\n    Acquisition Systems\n    \xe2\x80\xa2 EPI Rehost - EPI will be moved to the DHS Hosting Facility in FY 2008. This is to\n       increase system security.\n    \xe2\x80\xa2 Enterprise Reporting \xe2\x80\x93 will improve reporting and management controls by increasing\n       data sharing which will enable better business decisions.\n    \xe2\x80\xa2 EASI - FEMA and FLETC are scheduled to go live on EPI.\n    \xe2\x80\xa2 eInvocing \xe2\x80\x93 will reduce Prompt Payment Act interest penalties and streamline the invoice\n       approval process.\n\n    Program Management\n    \xe2\x80\xa2 DHS currently has three acquisition career fields for which DHS has certification\n       standards (Contracting Officer, Contracting Officer\xe2\x80\x99s Technical Representative, and\n       Program Manager). DHS will be adding certification standards for other acquisition\n       career fields, including logistics, systems engineering, cost estimating, and test and\n       evaluation as soon as practicable. OCPO plans to meet both the civilian agency\n       standards, where they exist (currently for contracting and program management), as well\n       as meeting the DAWIA standards, so as to ensure the Department has the best acquisition\n       workforce.\n\n    \xe2\x80\xa2   DHS is retooling the process for reviewing and approving major Department programs\n        and has begun its review of existing programs to determine how to proceed.\n    \xe2\x80\xa2   OCPO is conducting Quick Look reviews of all Level 1 acquisition programs. The Quick\n        Look Reviews are designed to provide a rapid assessment of the risk in the Level 1\n        Acquisition Program Portfolio. The results will be used to identify any high-risk\n        programs for which a more in-depth review may be tasked. These reviews will also\n        provide insight into Component governance and oversight processes that DHS can\n        leverage to refine Departmental acquisition policies and processes.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       43\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    Acquisition Workforce\n    \xe2\x80\xa2 FY 2008 will be the first fiscal year implementing the new intern training and\n       development program. As implementation proceeds, additional interns will be added and\n       improvements to the program will be instituted.\n    \xe2\x80\xa2 Additional acquisition career fields required for successful execution of acquisition\n       programs will be identified. Specific training and certification requirements will be\n       assessed for each of these new career fields.\n    \xe2\x80\xa2 A mechanism to identify acquisition corps members will be developed.\n    \xe2\x80\xa2 Training funds will be centralized to efficiently ensure that all acquisition corps members\n       receive prompt training so they can better perform the mission and improve within the\n       career field.\n    \xe2\x80\xa2 Recruitment efforts will be centralized to improve efficiency.\n\nU.S. Coast Guard Deepwater Acquisition\n\nFive years into this 25-year acquisition, USCG has overcome many significant challenges, though\nmore remains to be done. As a result of those lessons learned, USCG is taking aggressive action to\nstrengthen program management and execution. By redefining roles and responsibilities,\nfundamentally changing relationships with industry, and by strengthening the assessment of\ngovernment and industry performance, the Deepwater program is showing notable improvements\nin multiple areas.\n\n2007 Accomplishments\n\n    Stand-up of the Acquisition Directorate\n    \xe2\x80\xa2 As outlined in the Blueprint for Acquisition Reform, one important objective was to\n       establish a consolidated acquisition directorate which initially came together on July 13,\n       2007. As part of this consolidation, the Acquisition Directorate, the Deepwater Program\n       Office, the Office of Procurement Management, the Office of Research, Development,\n       and Technical Management, the Research and Development Center, and the Head of the\n       Contracting Authority have been brought together under one roof, led by an Assistant\n       Commandant for Acquisition. This means that USCG is better able to allocate its\n       contracting and acquisition professionals and resources to focus on excellence in program\n       management and contract execution. This is expected to create more efficient and\n       consistent processes, leading ultimately to a more effective acquisition organization.\n\n\n    Changes in the Contract Structure\n    \xe2\x80\xa2 As the OIG has suggested, USCG agrees that working closely with industry is still the\n      best approach to recapitalizing and modernizing USCG\xe2\x80\x99s platforms and mission systems.\n      However this relationship must be based on sound business practices to ensure suppliers\n      can meet the Government\xe2\x80\x99s requirements while adhering to cost, schedule and\n      performance parameters. Therefore, in all dealings with the private sector, USCG is\n      ensuring new acquisition contracts are clearly written and provide for careful\n      Government oversight and management of manufacturer\xe2\x80\x99s cost, schedule, and\n      performance.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       44\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   In an effort to better define program requirements, USCG has improved the detailed\n        Delivery Task Orders by increasing the use of Statements of Work specifications as\n        compared to Statements of Objective. This reflects a strategic change for USCG by\n        transitioning from a pure performance based approach for assets towards more explicit\n        contract language which includes relevant specifications, standards, and increased written\n        detail as recommended by OIG.\n\n    Implementing the Blueprint for Acquisition Reform\n    \xe2\x80\xa2 To guide its acquisition reform and business transformation initiatives, USCG developed\n      and published its own strategic and overarching vision called the Blueprint for\n      Acquisition Reform modeled after that developed by GAO for the assessment of Federal\n      Government acquisition processes.\n    \xe2\x80\xa2 The success or failure of USCG\xe2\x80\x99s acquisition reform initiatives will be tracked by two\n      tiers of metrics. The first is to measure activity called for in the Blueprint on how USCG\n      is doing in executing the plan of action and milestones that are outlined in the Blueprint.\n    \xe2\x80\xa2 A more important metric, which will be longer in coming, is the measurement of return\n      on investment measured against project cost, schedule, and performance. It will take\n      time to generate that strategic assessment, \xe2\x80\x9cHow does the Blueprint reflect back on Coast\n      Guard project and program execution?\xe2\x80\x9d\n\n    Establishing a Capable Acquisition Workforce\n    \xe2\x80\xa2 USCG has built a much more capable acquisition organization than it has ever had.\n       Among many attributes this right-sized dedicated USCG acquisition workforce\n       incorporates two underlying principles: (1) reinvigorated and documented use of a\n       technical authority, outside the acquisition directorate, for all major projects and (2)\n       partnering with other government agencies whenever additional competencies are\n       needed.\n    \xe2\x80\xa2 Some of the significant accomplishments during 2007 were:\n           o Creating a standard Project Management Core Team model, which is consistent\n               across all USCG acquisition projects and includes all critical functions in support\n               of project execution;\n           o Conducting an assessment of current certification levels to ensure personnel are\n               aligned with their respective roles and expected outputs; and\n           o Evaluating, and revising as necessary, position descriptions for proposed new\n               hires.\n\n\n    Improvement of Technical/Program Oversight\n    \xe2\x80\xa2 The Assistant Commandant for Engineering and Logistics has been designated as the\n      technical authority for all designs and design changes, the Assistant Commandant for\n      Operations for definition of asset performance requirements, and the Assistant\n      Commandant for Command, Control, Communications, Computers, and Information\n      Technology (C4IT) as the technical authority for all Command, Control,\n      Communications, Computers, Intelligence, and Reconnaissance (C4ISR) systems and\n      equipment. Additionally, the Assistant Commandant for Human Resources is the\n      technical authority for all USCG human resource issues. This means that project and\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        45\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        program managers, as well as associated contracting and acquisition professionals, have a\n        direct link back to technical and operational experts to ensure that designs are technically\n        robust, meet standards and are supportable.\n    \xe2\x80\xa2   In order to strengthen Government management and oversight of the Deepwater program,\n        as well as to better position USCG to fully oversee the contractor and effectively\n        adjudicate technical concerns, all Integrated Product Teams (IPT) must be chaired by a\n        USCG officer or employee. That change was executed in March 2007. Additionally, all\n        IPT charters have been re-examined to determine where other changes are needed.\n        USCG leadership of IPTs means USCG is better able to resolve non-major technical\n        concerns or, where concerns persist, raise them to the appropriate management and\n        contracting levels for adjudication.\n    \xe2\x80\xa2   To ensure that designs and assets will meet USCG needs, there has been in increase in the\n        use of independent, third-party review and analysis (in concert with the USCG technical\n        authorities) for all new starts or substantial design changes. Inherent in this initiative is a\n        renewed commitment to utilize full business case analyses for all new acquisition\n        decisions to instill confidence that USCG is building and buying the right tools for our\n        Coast Guard men and women and at the best value for taxpayers.\n    \xe2\x80\xa2   The Directorate has placed renewed emphasis on the USCG\xe2\x80\x99s Major Systems Acquisition\n        Manual (MSAM) and DHS-sanctioned processes for program management and\n        acquisition.\n\nRemaining Plans\n\n    Alternatives Analysis\n    \xe2\x80\xa2 USCG\xe2\x80\x99s Acquisition Directorate has asserted its role as the lead systems integrator across\n       its entire $27 billion investment portfolio. The investment portfolio includes the 25-year,\n       $24 billion Integrated Deepwater System (IDS), the largest of eight major acquisition\n       programs. The IDS program modernizes and recapitalizes legacy surface, air, and shore\n       assets to enable USCG to deploy more capable and interoperable offshore maritime patrol\n       and interdiction forces. As lead systems integrator, USCG has restructured Deepwater\n       and the rest of the Coast Guard\xe2\x80\x99s acquisition investment portfolio under the aegis of\n       proven acquisition policies and processes, including the procurement principles outlined\n       in USCG\xe2\x80\x99s MSAM.\n    \xe2\x80\xa2 MSAM requirements state that an Alternatives Analysis (AA) should be conducted and\n       updated whenever significant changes occur in requirements, life cycle cost estimates, or\n       return on investment assessments. The original Deepwater AA was conducted by\n       industry teams as part of the Deepwater proposal process (circa 2001). Operational\n       requirements and design changes that have evolved since September 11, 2001 make it\n       prudent and timely to conduct an independent AA at this time, in order to ensure that\n       USCG continues to acquire systems that fully meet its mission needs. Therefore, in\n       accordance with requirements set forth in the MSAM, the Coast Guard is conducting a\n       state-of-the-market AA of the Deepwater program. The AA will be a program-wide\n       analysis and will include an assessment of the major systems and platforms within the\n       IDS projects. The AA is a positive step in that it aligns with best practices established\n       through DHS and OMB acquisition policy.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                            46\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    Workforce Management Analysis\n    \xe2\x80\xa2 The USCG Human Capital Strategy will include a Long-Range Workforce Plan for the\n      entire USCG Acquisition Directorate. The Long-range Workforce Plan will describe the\n      specifics of the necessary workforce over several years. It will forecast and convey the\n      specific skill sets and competencies needed, broken down by both full time equivalent\n      and functional area. The Long-range Workforce Plan will be a dynamic plan linked to\n      acquisition program execution schedules, maintained by Acquisition Program and Project\n      Managers. This dynamic linkage will allow human capital managers to plan for future\n      workforce needs well in advance, and to react swiftly to changes in acquisition strategy\n      initiated at the program or project level.\n\nSBInet Management\n\n2007 Accomplishments\n\n    Fielding Border Surveillance Technologies/SBInet Program Management\n    \xe2\x80\xa2 CBP awarded an SBInet task order to demonstrate the effectiveness of the overall\n        approach to SBInet along 28 miles of border flanking the Sasabe Port of Entry in\n        Arizona. CBP has made significant progress in implementing Project 28, including\n        deploying all nine re-locatable camera and radar towers, and fitting all 50 of the Project\n        28 agent vehicles with Common Operating Picture hardware.\n    \xe2\x80\xa2 Under the SBInet prime contract, CBP awarded a task order for the test and evaluation of\n        fencing solutions. The purpose was to test effective low-cost solutions that meet\n        operational requirements and can be reproduced for rapid deployment along the\n        Southwest Border. This testing will help CBP add to existing tactical infrastructure to\n        reach a total of 370 miles of fencing and 200 miles of vehicle barriers by the end of\n        calendar year 2008.\n    \xe2\x80\xa2 CBP met its commitment to construct 70 miles of primary fencing along the Southwest\n        Border. This effort was comprised of both new and previously planned projects brought\n        together under SBInet.\n    \xe2\x80\xa2 CBP formed a Secure Border Initiative (SBI) Executive Steering Committee (ESC) to\n        provide oversight of the implementation of SBI and SBInet. The SBI ESC serves as an\n        advisory board, helping the SBI Executive Director to effectively implement program\n        management decisions.\n    \xe2\x80\xa2 SBI is developing, documenting, and implementing sound program and performance\n        management processes. SBI developed a process asset library, with a baseline of\n        76 program management policies, plans, processes and procedures. The program has\n        established scheduling standards for the development and maintenance of the Integrated\n        Master Schedule and project schedules. SBI has established processes and procedures for\n        Earned Value Management System baseline analysis and reporting. Monthly Program\n        Management Reviews, which address cost, schedule, performance, and risk \xe2\x80\x93 are\n        conducted to monitor the program progress. Oversight of Prime contractor deliverables\n        are performed to ensure measures and metrics reported are consistent and traceable to the\n        Quality Assurance Surveillance Plan.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       47\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   SBI and SBInet have significantly increased organizational capacity, adding 168 staff\n        members to help manage the program and address crosscutting issues such as\n        coordination with USCG on maritime border security issues.\n\nRemaining Plans\n\n    Fielding Border Surveillance Technologies / SBInet Program Management\n    \xe2\x80\xa2 CBP is committed to build a total of 370 miles of fence and 200 miles of vehicle barriers\n        along the Southwest Border by the end of calendar year 2008.\n    \xe2\x80\xa2 CBP is committed to deploying 70 communications, camera, and radar towers by the end\n        of calendar year 2008.\n\n\nFY 2007 Challenge 3: Grants Management\nSummary of 2007 Challenge: The OIG letter acknowledges that managing the multitude of grant\nprograms within DHS poses a significant challenge. Further, the grant programs of other Federal\nagencies that assist State and local governments in improving their abilities to prepare for,\nrespond to, and recover from acts of terrorism or natural disasters compound this challenge.\nCongress continues to authorize and appropriate funding for individual grant programs with\nsimilar, if not identical, purposes. However, they comment that the Department must do more to\ncoordinate and manage grants that are stove-piped for specific, but often related purposes, to\nensure they are contributing to our highest national preparedness and disaster recovery goals,\nrather than duplicating one another and being wasted on low-priority capabilities.\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   FEMA streamlined business processes from three legacy organizations into one FEMA\n        Grants Directorate (transitioned legacy Preparedness Grants into FEMA).\n    \xe2\x80\xa2   FEMA migrated the Grants and Training IFMIS Financial System and the Payment and\n        Reporting System web system from the Office of Justice Programs to FEMA.\n    \xe2\x80\xa2   FEMA stood up a Grant Programs Directorate with no additional resources and awarded\n        over $4 billion dollars in non-disaster Federal assistance while working through transition\n        issues of migrating the Office of Grants and Training to FEMA.\n    \xe2\x80\xa2   FEMA provided advanced level grants management training to States, local governments,\n         non-profit organizations, and other grantee recipients all across the country and in the\n        territories.\n    \xe2\x80\xa2   FEMA Headquarters (HQ) collaborated with its Regions to interview 20 Grants\n        Management Specialists (GMS) to begin financial grants work related to transitioned\n        preparedness grants in the Regions. This was a huge undertaking for both HQ and\n        Regional offices as these positions came as a result of the reprogramming and were\n        announced and interviewed in a short timeframe.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        48\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans\n\n    \xe2\x80\xa2   FEMA is striving for strong collaboration with its Regional offices to work towards the\n        new FEMA vision.\n    \xe2\x80\xa2   FEMA will hire and train 20 new Grants Management Specialists in the Regions to\n        facilitate more coordination with local partnerships.\n    \xe2\x80\xa2   FEMA is working to transition the administration of preparedness grants to FEMA\n        Regional offices.\n    \xe2\x80\xa2   DHS is in the process of streamlining all the DHS grant management business processes\n        to provide oversight monitoring capability as well as unified grant management\n        processing.\n    \xe2\x80\xa2   DHS HQ is establishing a DHS-wide audit tracking system that will record and track\n        resolution completion for the A-133 audit process. This will ensure that audits are\n        resolved in a timely manner and that trends in audit findings are addressed.\n    \xe2\x80\xa2   DHS is working with the OIG in reviewing the 36 Federal assistance programs (identified\n        as potential programs that may duplicate DHS programs) to determine if they duplicate or\n        complement DHS programs.\n    \xe2\x80\xa2   DHS HQ is anticipating the transfer the Office of Grant Policy and Oversight from the\n        Office of the Chief Procurement Officer to the Office of the Chief Financial Officer in\n        order to provide resources for a more robust oversight capability related to accountability\n        of funds, internal controls and audit processing.\n\n\nFY 2007 Challenge 4: Financial Management\nSummary of 2007 Challenge: Per OIG, financial management is a significant challenge for\nDHS. A number of material weaknesses in internal control continue to exist. The material\nweaknesses in internal control are impediments to obtaining an unqualified opinion and have\nprecluded management from giving positive assurance over internal control at the Department\nlevel. DHS\xe2\x80\x99 ability to obtain an unqualified audit report, and provide assurances that its system\nof internal control is designed and operating effectively, is highly dependent upon process and\nprocedural improvements across DHS.\n\nHowever, the Department notes that many of our material weaknesses were inherited and are\nlongstanding challenges. These challenges will not be solved in a single step, but through near\nand long-term fixes. The auditor\xe2\x80\x99s reports highlight the challenges we face. They identified\nweaknesses that have occurred for a variety of reasons common to newly formed organizations,\nsuch as inconsistent processes, reliance on legacy policies, undeveloped internal controls,\nincomplete and inaccurate information, or systems that cannot properly process reliable data and\ninformation. But we are not stopping at simply fixing what the auditors find. One of the most\nimportant lessons learned from our initial years of implementing the DHS Financial\nAccountability Act involved shifting from just focusing on audit opinions or addressing auditor-\nidentified issues to also building support for the Secretary\xe2\x80\x99s Assurance Statement by focusing on\nmanagement-identified root causes and management-performed test work. While audit\noutcomes are important, we will also concentrate on management\xe2\x80\x99s responsibility for internal\ncontrols. Through our multi-year internal controls assessments, we are documenting the design\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        49\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nof our controls to best discover the root causes of a problem and to guide our corrective action\nefforts. We will then test their operating effectiveness to build support for the Secretary\xe2\x80\x99s\nAssurance Statement.\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   On March 1, 2007, the Secretary and Chief Financial Officer issued the inaugural version\n        of the Internal Control Over Financial Reporting (ICOFR) Playbook. The ICOFR\n        Playbook represents an ambitious multi-year effort to build assurances and retire material\n        weakness conditions. Highlights of significant FY 2007 accomplishments include:\n            o Strengthened the control environment within the Office of the Chief Financial\n                Officer and bolstered financial management and oversight functions with the\n                strong support of the Department\xe2\x80\x99s Secretary and Under Secretary for\n                Management;\n            o Implemented Department-wide financial reporting process improvements;\n            o Developed Department-wide financial management policies and procedures;\n            o Developed standard operating procedures at TSA to improve financial reporting\n                control activities;\n            o Provided oversight and held Component management accountable for financial\n                system security corrective actions through partnership between the Under\n                Secretary for Management, Chief Financial Officer, Chief Information Officer,\n                and Chief Information Security Officer, resulting in compliance with the Federal\n                Information Security Management Act;\n            o Implemented policies and procedures to improve accounting for legal contingent\n                liabilities, intragovernmental and interdepartmental reconciliations, and\n                capitalization of internal use software; and\n            o Sustained FY 2006 progress at ICE and eliminated all remaining ICE material\n                weakness conditions.\n\nRemaining Plans\n\n\n    \xe2\x80\xa2   Significant challenges remain at USCG and FEMA. To support these Components, the\n        Department\xe2\x80\x99s Chief Financial Officer conducts monthly corrective action meetings with\n        Senior Management and weekly working group meetings with Senior Staff. Highlights\n        of these support efforts include:\n            o Setting USCG priorities for resolution of ten material weakness conditions, based\n                on risk, resource availability, mission impact, and other factors.\n            o Partnering with the Under Secretary for Management and Department\xe2\x80\x99s Chief\n                Procurement Officer to strengthen management and oversight functions at FEMA\n                and establishing internal controls for delivering benefits and assistance to disaster\n                victims.\n    \xe2\x80\xa2   A summary of planned corrective action efforts is provided within the Other Additional\n        Information\xe2\x80\x99s Summary of Financial Statement Audit and Management Assurances\n        section.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                           50\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nFY 2007 Challenge 5: Information Technology Management\nSummary of 2007 Challenge: According to OIG, integrating information technology (IT)\nsystems, networks, and capabilities of the various legacy agencies to form a single infrastructure\nfor secure, effective communications and information exchange remains one of DHS\xe2\x80\x99 biggest\nchallenges. OIG believes it is essential that DHS implement a Department-wide program to\nensure effective information security controls and address IT risks and vulnerabilities. They also\nbelieve it is critical that the Department acquire and implement systems and other technologies to\nstreamline operations within DHS Component organizations, and to support effective\ninformation sharing with State and local governments, the private sector, and the public. Finally,\nthey opine that DHS is challenged in addressing privacy concerns while integrating its myriad\nsystems and infrastructures.\n\n\nDepartment-wide IT Infrastructure\n\n2007 Accomplishments\n\n      Department-wide IT\n      \xe2\x80\xa2 Completed 50 percent of IT projects within 10 percent of the cost and schedule dates.\n      \xe2\x80\xa2 Integrated information security architecture with DHS Enterprise Architecture (EA),\n         System Development Life Cycle (SDLC), Capital Planning Investment Control (CPIC),\n         and acquisition processes.\n      \xe2\x80\xa2 Implemented National Institute of Standards and Technology (NIST) SP 800-53 in\n         policy and information security compliance tools.\n      \xe2\x80\xa2 Developed and deployed the DHS Information Security Scorecard for communicating\n         departmental progress in Certification and Accreditation (C&A), FISMA Compliance\n         and Weakness Remediation.\n      \xe2\x80\xa2 Consolidated IT support for unclassified, Secret, and Top Secret local area networks\n         (LANs) into a single vendor to improve service delivery and cost efficiency.\n      \xe2\x80\xa2 Leveraged delivery of infrastructure operations and management (O&M) to capture\n         additional cost reductions and efficiencies as the population continues to grow.\n      \xe2\x80\xa2 Supported the migration of legacy data centers to two DHS Data Centers.\n      \xe2\x80\xa2 Increased the use of IT research and advisory service contracts by DHS personnel by\n         100 percent over the prior year.\n      \xe2\x80\xa2 Developed and initiated a plan to establish test facilities at the DHS enterprise data\n         center.\n      \xe2\x80\xa2 Developed a plan to integrate DHS IT test facilities and consolidate these with data\n         centers in coordination with Science and Technology Directorate.\n\n\n      Information Technology Services\n      \xe2\x80\xa2 Continued the enterprise implementation of the Department-wide Smart Buy enterprise\n         license agreement for access to Geographic Information System (GIS)\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       51\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n          software/training, saving DHS approximately $4 million over General Services\n          Administration (GSA) list pricing.\n      \xe2\x80\xa2   Coordinated a Department-wide investment in geospatial data through partnership with\n          the National Geospatial-Intelligence Agency and the U.S. Geological Survey, achieving\n          $12 million in cost avoidance.\n      \xe2\x80\xa2   Implemented the Enterprise Information Repository to support IT security, portfolio\n          management, program oversight, and Enterprise Architecture governance.\n      \xe2\x80\xa2   Completed the target architecture for the Technology Reference Model (TRM),\n          including completion of Enterprise Architecture (EA) TRM insertion packages for 18\n          critical technology areas.\n      \xe2\x80\xa2   Formalized a strategy for the enhancement of information sharing by developing and\n          enhancing workflow, document management, and Business Process Management\n          (BPM) capabilities to increase user satisfaction by 40 percent and decrease cost by 15\n          percent while also reducing production time by 25 percent.\n      \xe2\x80\xa2   Established a repeatable process for the DHS CIO to approve procurements that contain\n          IT elements of $2.5 million and above to ensure that all contracts fully comply with\n          FISMA;\n            o Partnered with the Office of Procurement Operations (OPO) and Chief of\n                Administrative Services (CAO) to share data to provide offices with advanced\n                notice of procurements and purchases of property.\n            o Established preliminary performance measures that will be refined after at least\n                12 months of data are reported.\n      \xe2\x80\xa2   Developed and executed the IT Budget Review Process, ensuring that IT requirements\n          are integrated with the FY 2009-2013 Resource Allocation Plan data call. Reviewed\n          and made recommendations regarding Component portfolio and investment IT budgets.\n          Reduced duplication and showed cost savings of 5 percent of the budget of one\n          portfolio through the analysis and implementation of recommendations.\n      \xe2\x80\xa2   Complied with the President\xe2\x80\x99s Management Agenda (PMA) and the OMB mandate to\n          implement and monitor Earned Value Management (EVM) and Operational Analysis\n          (OA).\n      \xe2\x80\xa2   Identified Portfolio Managers for all of the DHS Portfolios and half of the Portfolio\n          managers directly contributed Portfolio analysis to the budget, acquisition, and\n          investment review process.\n      \xe2\x80\xa2   Implemented Application Authentication for: the Secretary\xe2\x80\x99s Priority Tracker, the\n          Homeland Secure Information Network (HSIN), DHS\xe2\x80\x99 primary authentication service\n          enabling E-authentication, and for the FedBridge capability for the Department.\n          Identified and consolidated the Disaster Management (DM) technology platform onto\n          the target HSIN platform, resulting in more than $2 million savings in FY 2007.\n      \xe2\x80\xa2   Integrated Disasterhelp.gov with E-authentication, meeting the OMB milestones.\n      \xe2\x80\xa2   Implemented new enterprise Learning Management Systems for DHS headquarters and\n          several Components.\n      \xe2\x80\xa2   Issued first DHS Smartcard in advance of the October 27, 2006 deadline.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       52\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n      Wireless Activities/Security Activities\n      \xe2\x80\xa2 Processed 3,795 frequency assignment records in support of DHS operations including\n        coordination of 410 assignment proposals and spectrum support for CBP Project-25\n        upgrade and modernization efforts in Arizona.\n      \xe2\x80\xa2 Jointly led with the Department of Justice (DOJ) government-industry interchange,\n        design competition, and final selection for $10 billion, 15-year Integrated Wireless\n        Network contract vehicle.\n      \xe2\x80\xa2 Established a primary Network Operation Center (NOC) and Security Operation Center\n        (SOC) to full operating capability.\n      \xe2\x80\xa2 Completed 90 percent of Component migrations to MS Exchange.\n\n      Homeland Secure Data Network\n      \xe2\x80\xa2 Established a second backup data center at the Stennis, Mississippi data center to\n        provide increased system availability and disaster recovery with 24/7 operations during\n        times of national incidents or disasters.\n      \xe2\x80\xa2 Established a secondary access point to DOD Secret Internet Protocol Router Network\n        (SIPRNet) to increase availability to HSDN critical customers.\n      \xe2\x80\xa2 Migrated the HSDN Backbone to OneNet, providing OneNet connectivity to the HSDN\n        Data Center to support field site deployments on OneNet.\n\n      Information Security\n      \xe2\x80\xa2 Comprehensive Certification and Accreditation process in place.\n            o At the end of July 2007, 88 percent of FISMA systems had valid Authority to\n               Operate letters.\n      \xe2\x80\xa2 Improved Plan of Action and Milestones (POA&M) tracking process for remediating\n          security weaknesses\n            o Closed 363 of 438 IT security audit findings.\n      \xe2\x80\xa2 Annual user IT Security Awareness Training is at or near 100 percent for all employees\n          and contractors with system access.\n      \xe2\x80\xa2 Configuration guides have been published for all operating systems in the department.\n            o The Department has validated configuration compliance programs for all\n               Components.\n            o Components have reported that over 90 percent of systems in the Department\n               have implemented configuration guides.\n            o Percentage of systems that have completed annual National Institute of Standards\n               and Technology Special Publication 800-53 assessments is over 90 percent..\n      \xe2\x80\xa2 Enhanced security operations capability.\n            o All Components now regularly report IT security incidents to the DHS Security\n               Operations Center, who in turn report to US-CERT, as appropriate.\n            o Improved DHS Security Operations Concept of Operations published in 2007,\n               detailing specific enterprise-wide security operations procedures.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       53\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans:\n\n      Department-wide IT\n      \xe2\x80\xa2 Maintain full FISMA compliance for each of 700+ systems in the Department\xe2\x80\x99s\n         inventory.\n      \xe2\x80\xa2 Complete the implementation of the plan to retire all financial systems security\n         weaknesses.\n      \xe2\x80\xa2 Update Security Policy and Architecture Guidance to address new operational\n         requirements, advancing technology, and new threats as well as adapting new best\n         practices.\n      \xe2\x80\xa2 Complete a rigorous review and analysis of the standards, products, and services\n         contained in the Technical Reference Model to ensure they comply with the Security\n         Architecture.\n      \xe2\x80\xa2 Begin to replace all IT hardware assets per National Capital Area (NCA) - developed\n         replacement periods (e.g., wireless devices \xe2\x80\x93 18 to 24 months, personal equipment \xe2\x80\x93 36\n         months, and server/network equipment \xe2\x80\x93 48 to 60 months).\n      \xe2\x80\xa2 Conduct requirements gathering and planning for the development of the new\n         consolidated DHS location at the St. Elisabeth\xe2\x80\x99s campus.\n      \xe2\x80\xa2 Ensure capability readiness and migrate legacy data center systems to the two DHS\n         Data Centers.\n      \xe2\x80\xa2 Implement testing of information technologies at the DHS enterprise data center.\n\n      Information Technology Services\n      \xe2\x80\xa2 Migrate 100 percent of DHS enterprise to Environmental Systems Research Institute\n         (ESRI) SmartBuy investment.\n      \xe2\x80\xa2 Stand up initial geospatial data warehouse capability at the DHS Enterprise\n         Architecture and DHS\xe2\x80\x99 National Center for Critical Information Processing and Storage\n         (NCCIPS) Data Center at Stennis, Mississippi.\n      \xe2\x80\xa2 Deploy standardized and interoperable common operating picture (COP) technology,\n         support the NOC, the National Infrastructure Coordination Center (NICC), and the\n         National Response Coordination Center (NRCC), and formalize this architecture as part\n         of the DHS Enterprise Architecture through the technology insertion process.\n      \xe2\x80\xa2 Oversee the Single Sign-On integration with the DHS Portal Environment.\n      \xe2\x80\xa2 100 percent of IT Portfolios Managers will directly contribute Portfolio analysis to the\n         budget, acquisition, and investment review process.\n      \xe2\x80\xa2 100 percent of DHS Portfolios will identify IT EA targets\n      \xe2\x80\xa2 Initiate Portfolio Management framework across 25 percent of DHS Components.\n      \xe2\x80\xa2 Complete the migration of consolidated Disaster Management technology platform\n         onto the target HSIN platform.\n      \xe2\x80\xa2 Continue implementation of the new enterprise Core Personnel system (EmpowHR) for\n         ICE, USCIS and other Components.\n      \xe2\x80\xa2 Implement new enterprise Learning Management Systems additional Components.\n      \xe2\x80\xa2 Continue to implement new enterprise Recruitment suite of systems (ICE, USCIS,\n         CBP, and other Components).\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       54\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        \xe2\x80\xa2    Provide Program Management Support for Information Quality and ensure that the\n             Department remains compliant.\n        \xe2\x80\xa2    Provide Program Management Support for Government Paperwork Elimination Act\n             and ensure that the Department remains compliant.\n        \xe2\x80\xa2    Define standard capability for Smartcard issuance and scale for use by all Components.\n\n        Security Activities\n        \xe2\x80\xa2 Move all remaining Components to OneNet with centrally managed Network Services\n           with enterprise-wide NOC/SOC services.\n        \xe2\x80\xa2 Establish a secondary NOC/SOC.\n        \xe2\x80\xa2 Complete Component migrations to MS Exchange.\n        \xe2\x80\xa2 Establish disaster recovery capability between the two DHS Data Centers.\n\n        Homeland Secure Data Network\n        \xe2\x80\xa2 Establish and maintain periodic HSDN program self-assessment and evaluation through\n          the DHS established Operational Analysis periodic review and reporting process in\n          order to identify areas for improvements in costs and operational efficiencies and\n          effectiveness.\n        \xe2\x80\xa2 Establish support for the mission requirements of DHS Component organizations and\n          homeland security partners staying abreast of and identifying applicable advancing\n          information and applied technologies capable of improving data gathering, fusion,\n          analysis, intelligence gathering and dissemination at a SECRET-classified level.\n\n        Information Security\n        \xe2\x80\xa2 Comprehensive Certification and Accreditation process in place.\n             o Goal is 100 percent of FISMA systems have valid Authority to Operate letters.\n        \xe2\x80\xa2 Close all IT audit findings.\n        \xe2\x80\xa2 Annual user IT Security Awareness Training is at 100 percent for all employees and\n           contractors with system access.\n        \xe2\x80\xa2 Configuration guides have been published for all operating systems in the department\n             o The Department validates configuration compliance programs for all\n                 Components.\n             o Percentage of systems that have completed annual National Institute of Standards\n                 and Technology Special Publication 800-53 assessments is 100 percent.\n        \xe2\x80\xa2 Enhance security operations capability by continuing to report all IT security incidents\n           to the DHS Security Operations Center, who in turn reports to US-CERT, as\n           appropriate.\n\nComponent IT Management\n\n2007 FEMA Accomplishments\n\n    \xe2\x80\xa2       Started modernization and upgrade efforts to improve information sharing and\n            functionality among six critical systems.\n                o National Emergency Management Information System (NEMIS);\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                         55\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n            o Logistics Information Management System (LIMS-III);\n            o Automated Deployment Database (ADD);\n            o Total Asset Visibility (TAV);\n            o Integrated Financial Management Information System (IFMIS); and\n            o Acquisition Management System (PRISM).\n    \xe2\x80\xa2   Migrated the Grants and Training IFMIS Financial System and the Payment and\n        Reporting System web system from the Office of Justice Programs to FEMA.\n    \xe2\x80\xa2   Participated in two field operation demonstrations and exercises to test our\n        interoperability with Federal, State and local response efforts, and our communications\n        plans in order to identify failures or shortcomings, corrected by June 1, 2007.\n    \xe2\x80\xa2   Expanded State and local communications planning efforts to include assistance in the\n        development of interoperable communications plans for all States in Regions 4 and 6,\n        Puerto Rico and the Virgin Islands, as well as all Emergency Support Functions that are\n        on the Federal response team to assist in disasters.\n    \xe2\x80\xa2   Acquired 34,000 licenses of the Asset Tracking Software (CompuTrace Complete) and\n        deployed 3,399 licenses on laptops supporting disasters.\n    \xe2\x80\xa2   Acquired 36,450 licenses for Full Disk Encryption software to support laptops used in\n        support of disaster operations.\n    \xe2\x80\xa2   Acquired 4,000 licenses of 2-Factor authentication solution as a FEMA pilot to comply\n        with OMB M06-16.\n    \xe2\x80\xa2   Replaced Egress and DMZ Firewalls that were becoming obsolete.\n    \xe2\x80\xa2   Completed pilot on deploying an Enterprise Patch Management solution and developed\n        schedule for Agency-wide deployment.\n    \xe2\x80\xa2   Acquired software for Enterprise Patch Management solution and currently deploying\n        agents.\n    \xe2\x80\xa2   Installed NetIQ Security Manager on critical servers to monitor critical network devices,\n        specifically egress firewalls, virtual private network concentrators and some ingress\n        firewalls.\n    \xe2\x80\xa2   Provided training for 28 Information Systems Security Officers.\n    \xe2\x80\xa2   Completed plan to support and guide critical IT improvements with the following five\n        Strategic Imperatives: 1) Stabilize and Integrate IT Assets Across the Agency; 2) Secure\n        the IT environment; 3) Network the Agency; 4) Evolve to a \xe2\x80\x9cService-Forward\xe2\x80\x9d\n        Organization; and 5) Establish the Supporting IT Policy and Governance Structure.\n    \xe2\x80\xa2   Continued refining and documenting IT management practices, policies, and procedures.\n    \xe2\x80\xa2   Implementing Enterprise Architecture based standards of interoperability, security, and\n        cost efficiency.\n    \xe2\x80\xa2   Completed initial architecture-based analysis of systems.\n    \xe2\x80\xa2   Identified mission critical systems.\n    \xe2\x80\xa2   Determined mission needs through customer analysis and began work to identify\n        functions that the Office of the CIO is currently capable of providing to meet needs.\n    \xe2\x80\xa2   Began process of aligning system functions to meet FEMA\xe2\x80\x99s mission needs.\n    \xe2\x80\xa2   Created system guidance to direct technical improvements and system upgrades.\n    \xe2\x80\xa2   Upgraded several systems to improve their capabilities and ability to share information.\n    \xe2\x80\xa2   Continued the monthly project management and professional development training\n        sessions.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       56\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Continued analysis of the optimal project and portfolio management tools and\n        implementation options.\n\nFEMA Remaining Plans\n\n    \xe2\x80\xa2   Continue upgrade of six critical systems, NEMIS, LIM-III, ADD, TAV, IFMIS, and\n        PRISM.\n    \xe2\x80\xa2   Complete Mitigation Advisors Statistical Tracker.\n    \xe2\x80\xa2   Improve operations and testing by creating Integrated Test Facility for software, updating\n        the Test Development Laboratory servers, and evolving two testing environments to the\n        required five environments which will allow NEMIS modules to be reengineered and\n        replaced completely with a minimum number of disruptions (phased completion).\n    \xe2\x80\xa2   Replace legacy servers to improve processing speeds, increase capacity, and reduce the\n        number of replication cycles in the current systems.\n    \xe2\x80\xa2   Deploy Emergency Management Mission Integrated Environment and migrate data to\n        that system from Regional server.\n    \xe2\x80\xa2   Deploy Document Management and Records Tracking System for multiple FEMA\n        applications.\n    \xe2\x80\xa2   Complete development of numerous Individual Assistance support systems including the\n        National Shelter System, Fulsome letters, Web indexing code, Web Registration Intake,\n        and the IA Center.\n    \xe2\x80\xa2   Work with Emergency Management Institute to develop concurrent training plans and\n        materials\n    \xe2\x80\xa2   Acquire and deploy 10,000 additional licenses for Asset Tracking Software (CompuTrace\n        Complete) on all FEMA laptops.\n    \xe2\x80\xa2   Deploy Full Disk Encryption software to support 36,450 remote access users as a FEMA\n        pilot Install 4,000 licenses of 2-Factor authentication solution (RSA) as a FEMA pilot to\n        comply with OMB M06-16 Fully deploy Enterprise Patch Management Solution\n        Agency-wide.\n    \xe2\x80\xa2   Expand implementation of NetIQ Security Manager for any security-related events\n        including failed logon attempts and configuration changes.\n    \xe2\x80\xa2   Conduct security assessment to determine effectiveness of security measures to ensure\n        secure sharing of information.\n    \xe2\x80\xa2   Deploy Community Information System (CIS) v4.5 Code into production.\n    \xe2\x80\xa2   Complete development of Electronic Fingerprint System (EFS).\n    \xe2\x80\xa2   Complete Enterprise Oracle database improvements.\n    \xe2\x80\xa2   Develop Emergency Management Information Management System (EMIMS).\n    \xe2\x80\xa2   Complete Executive Management System v1.0 (EMS).\n    \xe2\x80\xa2   Complete EMS v2.0.\n    \xe2\x80\xa2   Deploy Fire Grants Review/Award V4.30 to production.\n    \xe2\x80\xa2   Implement process improvement for software development projects and execute project\n        reviews Implement MS Project Server 2007.\n    \xe2\x80\xa2   Complete project to limit to three failed login attempts to database.\n    \xe2\x80\xa2   Develop Personally Identifiable Information Application & database.\n    \xe2\x80\xa2   Develop Real Property Management Application.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       57\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Develop Real Property Management E-Dashboard.\n    \xe2\x80\xa2   Implement Tower TRIM (Mitigation Electronic File Storage).\n    \xe2\x80\xa2   Implement Travel Manager v9.0.\n    \xe2\x80\xa2   Complete consolidation of training database.\n\n2007 USCIS Accomplishments\n\n    \xe2\x80\xa2   Integrated seven legacy enterprise applications through a Service Oriented Architecture\n        Enterprise Service Bus improving information access and sharing with another Federal\n        Department.\n    \xe2\x80\xa2   Implemented and instituted the USCIS information technology lifecycle management\n        process.\n    \xe2\x80\xa2   Implemented and instituted an Office of Information Technology organizational structure\n        based on the industry best practice model of information technology infrastructure library\n        and information technology service management.\n    \xe2\x80\xa2   Received Departmental approval for USCIS\xe2\x80\x99s Transformation Program Concept of\n        Operations and Strategic Plan and the Transformation Program for Milestone Decision\n        Point (MDP) two \xe2\x80\x93 Concept and Technology Development Phase.\n    \xe2\x80\xa2   DHS\xe2\x80\x99 Enterprise Architecture Community of Excellence approved USCIS\n        Transformation Program for Milestone Decision Point two \xe2\x80\x93 Concept and Technology\n        Development Phase.\n    \xe2\x80\xa2   USCIS Transformation Program Office (TPO) completed foundational documents to\n        support the Program Management Office including: Program Management Plan,\n    \xe2\x80\xa2   Governance Plan, Risk Management Plan, Quality Management, Change Management\n        Plan, and Communication Plan.\n    \xe2\x80\xa2   Initiated Federal Stakeholders Advisory Board that includes members from: CBP,\n        USCIS, I&A, Department of Justice, Department of State, ICE, Treasury, and US-VISIT.\n    \xe2\x80\xa2   Completed the Transformation Increment 1 Target Business Process definition which\n        defines the business model and high-level requirements for the program.\n    \xe2\x80\xa2   USCIS TPO completed initial round of field briefings and focus group meetings with\n        field leadership.\n    \xe2\x80\xa2   For the pilot projects, the TPO engaged users through focus groups and surveys to gather\n        and validate requirements, validate new business processes, and collect feedback for\n        future requirements.\n    \xe2\x80\xa2   Deployed three pilot projects \xe2\x80\x93 Secure Information Management Service, Enterprise\n        Document Management System, and Enumeration.\n\nUSCIS Remaining Plans\n\n    \xe2\x80\xa2   Complete procurement of Solutions Architect services.\n    \xe2\x80\xa2   Begin development of integrated operating environment.\n    \xe2\x80\xa2   Complete hiring process to staff Enterprise Architecture Branch with the USCIS Office\n        of Information and Technology.\n    \xe2\x80\xa2   Execute USCIS EA development plan to achieve level three maturity.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        58\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Facilitate USCIS-wide performance architecture task force to gather and analyze\n        performance measures and metrics\n\n\nFY 2007 Challenge 6: Infrastructure Protection\nSummary of 2007 Challenge: OIG acknowledged that the Nation\xe2\x80\x99s distribution of critical\ninfrastructure and key resources (CI-KR) is enormous and complex. The requirement to rely on\nFederal partners and the private sector to deter threats, mitigate vulnerabilities, or minimize\nincident consequences complicates protection efforts for all CI-KR. However, according to OIG,\nthe Department continues to face a challenge in prioritizing its protection efforts based on risk\nand mission requirements and needs to incorporate threat information into its risk assessments\nand coordinate the funding of protective measures for CI-KR.\n\n2007 Accomplishments\n\nThe Department of Homeland Security\xe2\x80\x99s Office of Infrastructure Protection (OIP) is responsible\nfor coordinating and advancing protection efforts throughout all 17 critical infrastructure and key\nresource sectors:\n    \xe2\x80\xa2 The completion of the National Infrastructure Protection Plan\xe2\x80\x99s Sector Specific Plans\n       (SSPs) is just one of many OIP activities that illustrate the evolution of the Department\xe2\x80\x99s\n       CI-KR protection capabilities. This undertaking represents the first time that government\n       and the private sector have worked together on such a large scale to develop a joint plan\n       for protecting the Nation\xe2\x80\x99s key assets and resources. In completing the SSPs, DHS:\n           o Worked with the private sector to implement tailored protective measures,\n               including conducting site-assistance visits and transforming feedback into\n               educational reports that owners and operators can use to identify vulnerabilities;\n           o Worked with the private sector to develop more than 800 Buffer Zone Protection\n               Plans (BZPP) to enhance security around critical infrastructure;\n           o Provided security guard training and courses on increasing terrorism awareness;\n               and\n           o Boosted information sharing across the sector through the Homeland Security\n               Information Network (HSIN), which has a specifically dedicated portal for critical\n               infrastructure.\n    \xe2\x80\xa2 More work continues in these different sectors. For example, in the chemical sector,\n       DHS issued an Interim Final Rule for Chemical Facility Anti-Terrorism Standards in\n       April 2007. The Department is now finalizing the final rule, ensuring vulnerability\n       assessments are conducted, and fostering the development of site security plans. OIP\n       also began sector-wide registration processes in the Nuclear, Oil and Gas, and Chemical\n       Sectors to clearly identify all owners and operators.\n    \xe2\x80\xa2 Sharing information on threats in the form of tailored strategic sector-specific risk\n       assessments, vulnerabilities, consequences, and protective planning was an essential\n       underlying foundation for executing these activities and completing these deliverables.\n    \xe2\x80\xa2 Because strategic information motivates protective investments and preparedness, the\n       National Infrastructure Protection Plan (NIPP) Sector Partnership Model, which is fully\n       operational, has been and will continue to be an essential mechanism for the exchange of\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        59\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        strategic information at an unprecedented level between government and the owners and\n        operators of CI-KR.\n    \xe2\x80\xa2   The National Infrastructure Coordinating Center (NICC) has taken important strides in\n        the realm of information sharing. Consistent with the NIPP \xe2\x80\x9cnetwork approach\xe2\x80\x9d to\n        information sharing, the NICC routinely shares a wide range of information products\n        containing warning, threat, and CI-KR protection information via HSIN-Critical Sectors\n        (HSIN-CS). During the last year, the NICC has posted more than 900 information\n        products to HSIN-CS for use by CI-KR owners and operators.\n            o Nine of the CI-KR sectors or major sub-sectors have signed MOUs with DHS to\n                deploy HSIN-CS to their sectors, which reflects a long process to overcoming\n                challenges unique to information sharing with the private sector.\n            o This comprehensive environment and its mechanisms have been formally adopted\n                by the Program Manager, Information Sharing Environment (PM-ISE), as the\n                private sector component of the information sharing environment.\n    \xe2\x80\xa2   The Buffer Zone Protection Program reduces the threats and vulnerabilities for critical\n        infrastructure through identification and analysis of critical infrastructure sites and by\n        providing grant funding to law enforcement entities to mitigate identified gaps. DHS is\n        documenting, through the Vulnerability Reduction Purchasing Plan (VRPP), how BZPP\n        grantees are utilizing the grant money to reduce threat and vulnerabilities.\n            o OIP provided $25 million of BZPP grant funds for increased local law\n                enforcement (LLE) capability to protect the buffer zones around high-risk\n                chemical facilities.\n            o OIP completed 200 Buffer Zone Plans and provided $50 million in BZPP grant\n                funds for increased LLE capabilities.\n\n    In addition, OIP:\n\n    \xe2\x80\xa2 Completed 110 Site Assist Visits (SAVs) in conjunction with Federal, State, local, and\n      private-sector stakeholders.\n    \xe2\x80\xa2 Completed the remaining 28 (of 65 total Nuclear Power Plants) Nuclear Comprehensive\n      Reviews (CRs).\n    \xe2\x80\xa2 Completed the remaining 5 of (6 total high-risk chemical regions) Regional Chemical\n      CRs.\n    \xe2\x80\xa2 Completed 130 Soft Target Awareness Courses to LLE and private sector security\n      managers.\n    \xe2\x80\xa2 Completed 50 Surveillance Detection Courses to LLE protecting the CI-KR.\n    \xe2\x80\xa2 Completed FY 2008 Tier 2 Data Call for infrastructure information with States and SSAs.\n    \xe2\x80\xa2 Achieved initial operating capability of iCAV system to provide situational awareness\n      within the National Operations Center.\n    \xe2\x80\xa2 Completed the 2007 National and Sector CI-KR Protection Annual Reports in accordance\n      with the NIPP.\n    \xe2\x80\xa2 Initiated and completed the 2007 NIPP CI-KR Protection Core Metrics Initiative to\n      include NIPP and OIP implementation actions.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       60\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans\n\nDHS will continue to prioritize resources and activities based on risk. In addition, OIP will:\n  \xe2\x80\xa2 Develop a scalable assessment methodology to execute SAVs, Buffer Zone Protection\n     Plans, Comprehensive Reviews, and High-Risk Infrastructure Cluster Assessments. This\n     represents an important step in working with other Sector Specific Agencies to\n     standardize assessment methodologies while fulfilling bombing prevention requirements,\n     providing accessibility to State and local partners, and allowing Protective Security\n     Advisor-led assessment teams to coordinate and report on vulnerability assessments in\n     the field.\n  \xe2\x80\xa2 Integrate 10 National Guard teams into the Vulnerability Assessment project and conduct\n     approximately 300 vulnerability assessments on Tier 1/2 CI-KR. The National Guard will\n     test, evaluate, and calibrate the new methodology.\n  \xe2\x80\xa2 Conduct the high-risk cluster assessment pilot on 72 assets in the Lower Manhattan\n     Security Initiative and 24 assets in the District of Columbia Metroplex Initiative. These\n     assessments will allow OIP to evaluate and enhance the methodology to conduct full\n     scale High-Risk Infrastructure Cluster assessments in following years.\n   \xe2\x80\xa2 Expand the CR effort to conduct assessments for high-consequence sectors such as\n     liquefied natural gas.\n  \xe2\x80\xa2 Establish a Protective Measures Section to track Federal, State, and local government and\n     private sector assessments and protective actions. This section will collect and analyze\n     information to evaluate the effectiveness of assessments, protective measures\n     implemented, and grant funding provided to high-priority CI-KR.\n  \xe2\x80\xa2 Evolve the National Asset Database into an integrated Infrastructure Data Warehouse\n     (IDW) with raw CI-KR-related asset information and completed CI-KR information\n     products. All NIPP Stakeholders will have access to the IDW via a common graphics\n     user interface.\n  \xe2\x80\xa2 Review, as requested, sector-specific risk assessment methodologies to ensure NIPP\n     compliance, and then assist with the technical implementation of the tool for use in the\n     collection and assessment of sector-level CI-KR.\n\n\nFY 2007 Challenge 7: Border Security\nSummary of 2007 Challenge: The OIG letter asserts that one of DHS\xe2\x80\x99 primary missions is to\nreduce America\xe2\x80\x99s vulnerability to terrorism by controlling the borders of the United States. This\nis dependent on the coordinated accomplishments of DHS, as well as joint efforts with other\nagencies. To this end, DHS is implementing a comprehensive multi-year plan to secure the\nborders and reduce illegal immigration, called the Secure Border Initiative (SBI). OIG believes\nthat DHS must quickly establish the organizational capacity to oversee, manage, and execute a\nprogram of this size and scope. Until the operational and contract requirements are firm,\neffective performance management and cost and schedule control are precluded. Concurrently,\nCBP must increase the number of agents by 6,000 in less than three years. The rapid timeline\npresents risks in recruiting and training fully qualified agents and procuring the necessary\ninfrastructure to support them.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       61\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n2007 Accomplishments\n\n    Fielding Border Surveillance Technologies / SBInet Program Management\n    \xe2\x80\xa2 CBP awarded an SBInet task order to demonstrate the effectiveness of the overall\n        approach to SBInet along 28 miles of border flanking the Sasabe Port of Entry (POE) in\n        Arizona. CBP has made significant progress in implementing Project 28, including\n        deploying all nine re-locatable camera and radar towers, and fitting all 50 of the Project\n        28 agent vehicles with Common Operating Picture hardware.\n    \xe2\x80\xa2 Under the SBInet prime contract, CBP awarded a task order for the test and evaluation of\n        fencing solutions. The purpose was to test effective low-cost solutions that meet\n        operational requirements and can be reproduced for rapid deployment along the\n        Southwest Border. This testing will help CBP add to existing tactical infrastructure to\n        reach a total of 370 miles of fencing and 200 miles of vehicle barriers by the end of\n        calendar year 2008.\n    \xe2\x80\xa2 CBP met its commitment to construct 70 miles of primary fencing along the Southwest\n        Border. This effort was comprised of both new and previously planned projects brought\n        together under SBInet.\n    \xe2\x80\xa2 CBP formed a Secure Border Initiative (SBI) Executive Steering Committee (ESC) to\n        provide oversight of the implementation of SBI and SBInet. The SBI ESC serves as an\n        advisory board, helping the SBI Executive Director to effectively implement program\n        management decisions.\n    \xe2\x80\xa2 SBI is developing, documenting, and implementing sound program and performance\n        management processes. SBI developed a process asset library, with a baseline of 76\n        program management policies, plans, processes, and procedures. The program has\n        established scheduling standards for the development and maintenance of the Integrated\n        Master Schedule and project schedules. SBI has established processes and procedures for\n        Earned Value Management System baseline analysis and reporting. Monthly Program\n        Management Reviews, which address cost, schedule, performance, and risk \xe2\x80\x93 are\n        conducted to monitor the program progress. Oversight of Prime contractor deliverables\n        are performed to ensure measures and metrics reported are consistent and traceable to the\n        Quality Assurance Surveillance Plan (QASP). .\n    \xe2\x80\xa2 SBI and SBInet have significantly increased organizational capacity, adding 168 staff\n        members to help manage the program and address crosscutting issues such as coordination\n        with the Coast Guard on maritime border security issues.\n\n    Office of Border Patrol\n    \xe2\x80\xa2 OASISS (Operation Against Smugglers Initiative for Safety and Security) has been\n       embraced and expanded by both the U.S. and Mexico as a successful cross-border\n       prosecution and deterrent to smugglers who jeopardize the lives of aliens.\n    \xe2\x80\xa2 311 cases were generated, a 9 percent increase over FY 2006, with an 86 percent\n       acceptance rate.\n    \xe2\x80\xa2 Interior Repatriation (13,292 aliens were removed via this program) along with OASISS\n       has complimented the Border Security Initiative campaign to inform and deter potential\n       crossers.\n    \xe2\x80\xa2 Operation Streamline has decreased Del Rio Sector apprehensions by 47 percent (and\n       Other Than Mexican (OTM) apprehensions by a similar 46 percent).\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       62\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Nationwide apprehensions were down 19.5 percent for FY 2007 to 876,704.\n    \xe2\x80\xa2   Nationwide apprehensions of OTM nationalities were down 37 percent to 68,016.\n    \xe2\x80\xa2   59,146 OTM aliens have been removed through the Expedited Removal (ER) program\n        helping to end Catch and Release.\n    \xe2\x80\xa2   In FY 2007, CBP significantly increased the number of Border Patrol Agents from\n        12,319 to 14,923 agents as part of the President\xe2\x80\x99s initiative to increase the ranks of the\n        Border Patrol by 6,000 by December 31, 2008.\n    \xe2\x80\xa2   The Border Patrol Academy participated in a curriculum review with the Federal Law\n        Enforcement Training Center before initiating a new 81-day program.\n    \xe2\x80\xa2   As of September 30, 2007, 1,712 agents have graduated from the Academy with 1,442\n        FY 2007 recruits still in class. This is a single year record for graduates at the\n        Academy. To accomplish this goal the Academy doubled the size of permanent staff and\n        has increased the number of temporary duty instructors. The infrastructure at the Artesia\n        Academy was improved to meet the need; a new dorm, physical techniques training\n        center, modular classrooms, and other additions have been made.\n    \xe2\x80\xa2   The Academy has, with input from best in practice practitioners and from field Border\n        Patrol Agents, designed a new Spanish language program and physical techniques\n        training program. The redesign will ensure that new Agents who are already proficient in\n        Spanish can complete the basic training at the Academy in 55 days. Those needing\n        Spanish, will enter a 40 day task-based Spanish program.\n    \xe2\x80\xa2   Planned for 6,000 new agents by December 31, 2008. Conducted site surveys of existing\n        stations. Identified facility conditions and needs of each station receiving additional\n        agents.\n    \xe2\x80\xa2   Environmental kick off meeting conducted with environmental contracting firm on\n        September 25, 2007 for all Integrated Project Team (IPT) projects. Environmental\n        Assessments (EAs) to start immediately on identified sites.\n    \xe2\x80\xa2   Initiated land acquisition activities for Rapid Response sites.\n    \xe2\x80\xa2   Execution underway for several Rapid Response projects.\n    \xe2\x80\xa2   Completed Rapid Response Planning IPT activities in April 2007. Outputs included\n        initial cost estimates and program of requirements for all Rapid Response sites,\n        prioritized list of projects, programmatic cost benefit analysis, risk management plan, and\n        mission needs statement.\n    \xe2\x80\xa2   Implemented cost and schedule management system for Rapid Response projects.\n    \xe2\x80\xa2   Completed BP facilities for 12 sites.\n    \xe2\x80\xa2   36 renovations, additions, upgrades, and/or new facilities were completed in various\n        locations.\n    \xe2\x80\xa2   184 acres acquired for five facilities.\n\n    Advance Passenger Information System (APIS)\n    \xe2\x80\xa2 On August 23, 2007, the APIS Pre-Departure Final Rule, requiring air and vessel carriers\n      to transmit complete APIS manifest data prior to sealing the aircraft doors or the\n      departure of a vessel, was published in the Federal Register. This rule enables CBP to\n      conduct no fly and selectee watch list screening prior to passengers gaining access to the\n      aircraft or departing onboard a vessel, adding an essential layer to our anti-terrorism\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        63\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        security measures. Carriers have been given 180 days from the publication of the rule to\n        transition their systems into compliance.\n    \xe2\x80\xa2   On September 18, 2007, the CBP Private Aircraft Notice of Proposed Rule Making,\n        requiring pilots of private aircraft to transmit complete APIS manifest data 60 minutes\n        prior to departure was published in the Federal Register. This rule enables CBP to\n        conduct no fly and selectee watch list screening and provide Landing Rights for Private\n        Aircraft through an automated system, adding an essential layer to our anti-terrorism\n        security measures.\n\n    Intelligence\n    \xe2\x80\xa2 Developed a complete Field Intelligence Construct, and successfully validated it through\n       a six month, Tucson, Arizona-based Pilot focused on the Southwest Border. This\n       initiative integrates with and compliments the Border Security and Intelligence aspects of\n       the SBInet Program.\n    \xe2\x80\xa2 Developed a Strategic Threat Assessment Program and completed first assessment on the\n       threat posed by Terrorism at the CBP Ports of Entry.\n    \xe2\x80\xa2 Refined the Passenger Targeting Rules Set, resulting in increased focus on problematic\n       passengers, and a reduction in delays and secondary screening of unlikely terrorists and\n       other criminals.\n\n    ICE/CBP Coordination\n    \xe2\x80\xa2 The ICE Office of Intelligence has successfully completed a Headquarters reorganization\n       that will foster and enhance the strategic collaborative efforts between ICE and CBP, as\n       well as other DHS entities.\n    \xe2\x80\xa2 The Office of Intelligence has successfully completed a field reorganization that will\n       greatly enhance our ability to meet the intelligence needs of ICE and our customers,\n       which includes CBP. The Office of Intelligence has transitioned from six regional Field\n       Intelligence Units (FIUs) and is in the process of replacing them with 26 Field\n       Intelligence Groups that are co-located with ICE offices in the field. This will better\n       facilitate information sharing between ICE and CBP Intel.\n    \xe2\x80\xa2 CBP and ICE use shared database resources to exchange information, reports, and other\n       operational and intelligence information on subjects of common interest.\n    \xe2\x80\xa2 The Coordination Council affords ICE and CBP senior executives the opportunity to\n       openly discuss each respective agency\xe2\x80\x99s roles and responsibilities. Through the\n       Coordination Council, ICE and CBP were able to jointly develop an addendum to the\n       November 16, 2004, joint memorandum between ICE/OI and CBP/OBP. This document\n       highlights efforts to promote occupational awareness and orientation among field\n       elements of ICE and CBP personnel. These efforts will include the respective ICE/OI\n       and CBP/OBP entities providing orientation to each other\xe2\x80\x99s personnel on operational\n       priorities, programmatic areas of concern, evidence handling and other related matters.\n       The addendum specifically addresses the co-location of ICE OI and CBP OBP Sector\n       Intelligence Units where building space limitations can be overcome.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       64\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans\n\n    Fielding Border Surveillance Technologies / SBInet Program Management\n    \xe2\x80\xa2 CBP is committed to build a total of 370 miles of fence and 200 miles of vehicle barriers\n        along the Southwest Border by the end of calendar year 2008.\n    \xe2\x80\xa2 CBP is committed to deploying 70 communications, camera, and radar towers by the end\n        of calendar year 2008.\n\n    Office of Border Patrol\n    \xe2\x80\xa2 Extend Operation Streamline-like initiatives to other Border Patrol Sectors.\n    \xe2\x80\xa2 Continue to refine the use Interior Repatriation and the OASISS program to deter at risk\n       crossers.\n    \xe2\x80\xa2 Continue to expand the use of ER to more eligible classes of aliens and in more\n       geographic locations.\n    \xe2\x80\xa2 The Border Patrol will further improve the Academy training program.\n    \xe2\x80\xa2 The Academy plans to conduct 96 classes for a total of 4,800 trainees.\n    \xe2\x80\xa2 Continue 55 Rapid Response program projects currently underway.\n    \xe2\x80\xa2 In FY 2008, complete Border Patrol facilities for eight locations.\n    \xe2\x80\xa2 Complete Northern Border standard, 50 agent standard station design.\n    \xe2\x80\xa2 New construction activity underway in six sectors.\n    \xe2\x80\xa2 Continue activity with offers pending with an estimated value of $3.8 million, for six site\n       locations, totaling 123 acres.\n\n    Advance Passenger Information Systems (APIS)\n    \xe2\x80\xa2 Monitor carrier compliance/implementation progress of requirements defined in the APIS\n      Pre-Departure Final Rule.\n    \xe2\x80\xa2 Finalize and publish the CBP Private Aircraft Final Rule upon analysis and reconciliation\n      of comments received from the Notice of Proposed Rule Making.\n\n    Intelligence\n    \xe2\x80\xa2 Deploy 2-3 Intelligence and Operations Coordination Centers and 6-10 Intelligence\n       Coordination Teams to Border locations over a 24-month time frame commencing\n       October 1, 2007. These are the key structural elements of the Field Intelligence\n       Construct.\n    \xe2\x80\xa2 Complete build out of the Strategic Threat Assessment Program to encompass All\n       Crimes/All Threats; integrate programmatically into the new CBP Integrated Strategic\n       Planning and Resource Allocation Process; and develop Indicators and Warning\n       capability based on this program to provide, in concert with our mission partners, a first-\n       ever Predictive Capability for All Crimes/All Threats.\n    \xe2\x80\xa2 Enhance CBP Leadership and Mission Partner Situational Awareness by combining the\n       Intelligence Watch and the Operations Situations Room conceptually and under one\n       leader.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        65\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    ICE/CBP Coordination\n    \xe2\x80\xa2 In furtherance of the goal of closer collaboration and sharing of law enforcement\n       intelligence, CBP and ICE Intel also recently agreed to produce coordinated joint\n       reporting to meet the analytical needs of both agencies. This will be a joint ICE and CBP\n       Office of Intelligence analytical effort dealing with border activity of mutual interest to\n       both agencies. The focus will be on analyzing regional and national smuggling trends,\n       methods and seizures and combining it with all-source intelligence to provide trend\n       analysis that directly relates to ICE and CBP operations in the air, land and sea.\n    \xe2\x80\xa2 Environments of interest to both ICE and CBP field level personnel as well as managers\n       at both agency headquarters.\n    \xe2\x80\xa2 ICE and CBP are currently discussing the shared use of ICE data systems that will allow\n       both agencies to conduct useful analysis on differing data sets.\n    \xe2\x80\xa2 Intelligence dissemination measures and initiatives are underway. The DHS Intelligence\n       Systems Board aims to unify the intelligence program throughout DHS through an\n       enterprise approach to information sharing and the application of common systems.\n\n\nFY 2007 Challenge 8: Transportation Security\nSummary of 2007 Challenge: The OIG\xe2\x80\x99s letter acknowledged that the size and complexity of the\ntransportation system, which moves millions of passengers and tons of freight every day, make it\na difficult system to secure and an attractive target for terrorists. The Nation\xe2\x80\x99s economy depends\nupon implementation of effective, yet efficient transportation security measures. The OIG\nclaimed however, that since its inception, TSA has focused almost all of its attention on aviation\nsecurity, perhaps to the detriment of other forms of transportation.\n\nCheckpoint and Checked Baggage Performance\n\n2007 Accomplishments\n\n    Screening SOP Refinements\n    \xe2\x80\xa2 TSA has undertaken a number of initiatives in 2007 to improve checkpoint and checked\n       baggage performance. Screening SOPs continue to be refined to shift attention from\n       lower security risks, such as lighters, to address markedly higher security risks that could\n       do catastrophic damage to an aircraft\xe2\x80\x94IEDs, IED parts, and electric ignition devices.\n       This focus is fundamental to a risk-based approach to aviation security. TSA continues\n       to direct resources toward higher risk areas and make its security protocols less\n       transparent to potential terrorists. We believe we gain a higher return in threat detection\n       when our TSOs concentrate on finding explosive devices or components of explosive\n       devices.\n\n    Screener Performance\n       Aviation Screening Assessment Program (ASAP)\n    \xe2\x80\xa2 In order to improve screener performance, TSA instituted ASAP in 2007. The mission of\n       ASAP is to measure screening performance using realistic and standardized assessment\n       scenarios to improve aviation security. This is being accomplished by:\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                         66\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n                o Establishing a three-tiered assessment system with standardized criteria and\n                    menu-driven scenarios;\n                o Conducting on-going evaluation and modification to the program and\n                    scenarios;\n                o Utilizing the local screening workforce including TSA Approved Instructors\n                    (TAI) and Bomb Appraisal Officers (BAO) as subject matter experts;\n                o Integrating the program plan into the Transportation Security Inspector (TSI)\n                    Annual Inspection Plan; and\n                o Providing clear and consistent communication to the field.\n        \xe2\x80\xa2   The program\xe2\x80\x99s main goal is to achieve a national assessment measurement. This\n            measurement provides information that helps TSA improve aviation security and\n            identify vulnerabilities across screening operations.\n\n        Performance Accountability and Standards System (PASS)\n        \xe2\x80\xa2 The objective of PASS is to promote and sustain a culture of high performance and\n           accountability in TSA and to help achieve the organizational goals that support TSA\xe2\x80\x99s\n           mission. PASS is designed to ensure that employees know what they need to do to\n           accomplish their work successfully and to help TSA accomplish its mission through\n           the use of a pay-for-performance system. PASS begins with a sit-down face-to-face\n           planning meeting between employees and their supervisors or managers at the\n           beginning of the performance period. At the end of the first and third performance\n           quarters, quarterly discussions are held. A Mid-Year Review occurs halfway through\n           the performance period, and the performance period wraps up with an End-of-Year\n           Review.\n\n        Emerging Technologies\n        \xe2\x80\xa2 TSA continues its efforts to identify and deploy emerging technologies that will\n          constitute the next advancement in explosives detection screening at passenger\n          security checkpoints. Those emerging technologies that are either in, or will soon be\n          ready for, operational evaluation in screening for explosives includes: (1) Cast &\n          Prosthesis scanners, (2) Whole Body Imagers, (3) bottled liquids scanners and (4)\n          advanced carry-on baggage scanning technologies.\n\n    Additional Layers of Security\n\n        Aviation Direct Access Screening Program (ADASP)\n        \xe2\x80\xa2 TSA is implementing ADASP as one more layer of protection against terrorism.\n           Recent incidents in the United States and overseas have highlighted vulnerabilities\n           that exist with regard to individuals with unescorted and unscreened access to secured\n           areas and sterile areas of airports. Increased random inspections of individuals,\n           accessible property, and vehicles entering secured areas and/or sterile areas are\n           required to reduce the risk from these vulnerabilities.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       67\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    Visible Intermodal Protection and Response (VIPR)\n    \xe2\x80\xa2 To help combat threats such as the one experienced in Glasgow, TSA instituted VIPR, a\n       visible deterrent to terrorist activity. VIPR consists of Behavior Detection Officers,\n       Federal Air Marshals, Explosives Detection Canine Teams, Transportation\n    \xe2\x80\xa2 Security Inspectors, and State and local law enforcement officers, who operate\n       throughout the airport environment as an additional layer of security.\n\nRemaining Plans\n\n    \xe2\x80\xa2   To meet the challenges of a constantly evolving threat, our passenger screening systems\n        must constantly evolve and adapt. To this end, TSA created a passenger screening task\n        force charged with creating a new vision for aviation passenger screening. A vision that\n        will enable TSA to focus more on high-risk individuals, that expands the range of threats\n        that can be detected, that enables the information sharing across the enterprise, and that\n        improves our system\xe2\x80\x99s ability to respond to ever-changing threat conditions. The task\n        force has established guidelines for the development of the passenger screening system\n        vision of the future. Next steps include integration of these guidelines and working with\n        stakeholders, such as airports, to bring the concepts to fruition.\n\nPassenger Air Cargo Security\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   TSA has removed exemptions to screening to include the elimination of shrink wrap\n        exemptions. In addition, TSA holds four weeks of core inspector training. Cargo\n        Inspectors complete a two-week on-the-job training program. TSA\'s more than 460\n        canine teams each spend at least 25 percent of their work day in the cargo environment.\n\nRemaining Plans\n\n    \xe2\x80\xa2   TSA will plan direct nighttime and weekend inspection activities (when most of the cargo\n        is moving) to better determine compliance with requirements, and conduct monthly\n        "cargo strike" surges at high volume cargo airports. By the end of FY 2008, TSA will\n        add another 170 canine teams to the force who\'s primary focus will be cargo, which will\n        significantly increase the amount canine teams screening cargo.\n\nWorker\xe2\x80\x99s Compensation\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   Developed agency policies and procedures on the FECA program to include roles and\n        responsibilities for the Office of Human Capital (OHC) and airport personnel.\n    \xe2\x80\xa2   Developed and implemented a centralized, automated case management system to track\n        the status of the Agency\xe2\x80\x99s workers\xe2\x80\x99 compensation cases.\n    \xe2\x80\xa2   Provided 40 positions in which to concentrate exclusively on the Workers Compensation\n        program in field locations.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        68\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Developed and implemented FECA related performance goals and measures, and\n        established performance standards for workers\xe2\x80\x99 compensation specialists and Federal\n    \xe2\x80\xa2   Security Directors (FSDs) that will hold TSA officials accountable for program\n        performance.\n    \xe2\x80\xa2   Developed agency policies and procedures on TSA\xe2\x80\x99s chargeback process to include roles\n        and responsibilities for OHC and airport personnel. Additionally, the verification process\n        of reviewing and verification of the Chargeback Cost has been added to the Workers\xe2\x80\x99\n        Compensation Desk Guide.\n\nRemaining Plans\n\n    \xe2\x80\xa2   Finalize the Management Directive outlining roles and responsibilities for the FECA\n        program, and continue to communicate the fact that locations should use the case\n        management system and provide associated training.\n\nEmployee Workplace Issues\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   TSA\xe2\x80\x99s Equal Employment Opportunity complaints are comparable to other deferral\n        agencies. TSA\xe2\x80\x99s attrition is decreasing and is comparable to other transportation sector\n        jobs. Additionally, TSO job satisfaction has increased significantly over the past two\n        years. TSA has multiple processes for complaint resolution including the Ombudsman\xe2\x80\x99s\n        Office, the Office of Civil Rights, Disciplinary Review Board, and Peer Review\n        Programs. TSA has established a Model Workplace Program where employees and\n        managers form councils to address workplace complaints and grievances.\n\nRemaining Plans\n\n    \xe2\x80\xa2   OIG is currently conducting an audit of employee workplace issues. At the conclusion of\n        the OIG audit, TSA will review and address the identified findings and recommendations.\n\nRail and Mass Transit\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   DHS has developed and administered grant programs for various surface transportation\n        modes.\n    \xe2\x80\xa2   Developed and adopted a strategic approach for implementing surface transportation\n        security functions.\n    \xe2\x80\xa2   Conducted threat, criticality, and vulnerability assessments of surface transportation\n        assets.\n    \xe2\x80\xa2   TSA has taken actions to develop and issue surface transportation security standards for\n        passenger and freight rail modes.\n    \xe2\x80\xa2   TSA has taken steps to conduct compliance inspections for surface transportation systems\n        and has made progress in hiring and deploying inspectors.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       69\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans\n\n    \xe2\x80\xa2   OIG and GAO are both conducting audits in this area. At the conclusion of the audits,\n        TSA will review and address the identified findings and recommendations.\n\n\nFY 2007 Challenge 9: Trade Operations and Security\nSummary of 2007 Challenge: OIG states that trade operations and security are primarily the\nresponsibility of CBP, although USCG and ICE also play important support roles. CBP has the\nmission of ensuring that all persons and cargo enter and exit the U.S. legally, while facilitating\nthe lawful movement of goods and persons across U.S. borders. OIG believes CBP\xe2\x80\x99s three major\nchallenges to meeting its trade mission are the modernization of trade systems, risk management\nprograms to use scarce resources efficiently, and partnerships with the trade and foreign Customs\noffices.\n\n2007 CBP Accomplishments\n\n    Container Security Initiative (CSI)\n    \xe2\x80\xa2 Reached a milestone of 58 Operational CSI ports, covering 86 percent of U.S. bound\n      maritime containers.\n    \xe2\x80\xa2 Transitioned 12 CSI ports in eight countries to permanent staffing, bringing the total\n      number of posts with permanent personnel to 40.\n    \xe2\x80\xa2 Increased the level of examinations conducted at CSI locations by 92 percent.\n    \xe2\x80\xa2 Evaluated 40 CSI ports using automated tools and protocols.\n    \xe2\x80\xa2 Launched Secure Freight Initiative (SFI).\n\n    Cargo Enforcement Reporting and Tracking System (CERTS)\n    \xe2\x80\xa2 The CERTS examinations and findings module, a component of Automated Targeting\n       System, Version 4 (ATS-4), was actively deployed during FY 2007. This new module\n       enables CBP Officers and Agriculture Specialists to report and track all CBP\n       examinations and findings data using a single-point of entry application.\n    \xe2\x80\xa2 ATS-4/CERTS is currently deployed to 36 CBP seaports, five CBP Airports, and two SFI\n       seaports (Port Qasim, Pakistan and Port Cortes, Honduras).\n    \xe2\x80\xa2 Thirty international airports have just finished sending representatives to the CERTS\n       Train-The-Trainer Course.\n\n\n    Customs-Trade Partnership Against Terrorism (C-TPAT)\n    \xe2\x80\xa2 Initiated 2,503 validations of which 1,812 have been completed, resulting in 5,314 total\n       validations completed.\n    \xe2\x80\xa2 Increased to a total of 156 Supply Chain Security Specialists (SCSS) positions.\n    \xe2\x80\xa2 Implemented a third party validation pilot program and achieved several milestones to\n       include: (1) soliciting applications from companies wanting to conduct validations on\n       behalf of CBP in China on the Federal Business Opportunities Website and selecting 11\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        70\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        companies to participate; (2) identifying and inviting 304 validated importers to\n        participate in the pilot; and (3) developing standard operating procedures to ensure\n        consistent application of validation principles.\n    \xe2\x80\xa2   Strengthened supply chain security through the development and issuance to the trade\n        community of minimum-security criteria for U.S and Foreign-Based Marine Port\n        Authority and Terminal Operator, Licensed U.S. Customs Brokers, Mexican Long Haul\n        Carriers, and Air Carriers.\n\n    Automated Commercial Environment (ACE)\n    \xe2\x80\xa2 Deployment of truck e-Manifest was completed at all land border cargo crossings (105\n       port codes, 144 sites).\n    \xe2\x80\xa2 ACE e-Manifest, as required by the Trade Act of 2002, advance electronic cargo\n       information mandate, was deployed at all ports by November 2007. The use of ACE e-\n       Manifest became mandatory in Maine and Minnesota on October 12, 2007 and will\n       become mandatory in Alaska on February 11, 2008.\n    \xe2\x80\xa2 Ports with ACE truck e-manifest capabilities are operating at a compliance rate of nearly\n       100 percent.\n    \xe2\x80\xa2 CBP collected nearly $1 billion dollars in duties and fees via the ACE periodic monthly\n       statement payment process, which represents 36 percent of all duties and fees collected.\n    \xe2\x80\xa2 Currently, there are 12,265 ACE accounts (10,189 truck carriers, 1,306 importers, 770\n       brokers, filers and sureties).\n    \xe2\x80\xa2 ACE truck manifest capabilities are operating at 98 or 99 land border ports; the\n       mandatory e-Manifest policy is in effect at 79 land border ports.\n    \xe2\x80\xa2 Deployed initial ACE entry summary, accounts, and revenue capabilities on September 9,\n       2007.\n    \xe2\x80\xa2 More than 245 users from 35 participating Government agencies are using ACE to access\n       trade data, including more than 100 reports that draw from entry and entry summary data.\n    \xe2\x80\xa2 Periodic monthly statement receipts grew to $1 billion, representing 42 percent of total\n       adjusted collections. Overall, there are nearly 12,000 ACE Secure Data Portal accounts,\n       and more than 8,000 corporate entities approved to pay duties and fees monthly.\n    \xe2\x80\xa2 CBP achieved the planned target for the ACE Critical Few performance measures, based\n       on the CBP Performance Reference Model (PRM), that track the number of ACE\n       accounts, the percentage of duties and fees paid via the ACE periodic monthly statement\n       process, the national percentage of e-Manifests filed, and the percent of reduction in truck\n       processing time due to e-Manifest filing.\n    \xe2\x80\xa2 CBP continues to fine tune ACE truck processing capabilities and is working to address\n       and resolve system defects. The completion of computer hardware upgrades that were\n       being performed during the survey period have resulted in officers at several ports\n       reporting a remarkable improvement in ACE processing speed. A recent consolidation of\n       system databases addressed previous system problems that often necessitated multiple\n       system queries to obtain truck-related information, and since the consolidation, ACE has\n       consistently provided officers with immediate access to this data. CBP also developed a\n       portal-generated \xe2\x80\x9ccover sheet\xe2\x80\x9d that can be used by carriers as proof of filing an e-\n       Manifest during system down times.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        71\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   CBP continues efforts to improve the availability and responsiveness of ACE user\n        support, as well as communications to users and stakeholders regarding system status.\n        Efforts taken to date include increasing help desk staff, referring more complicated\n        inquiries to a higher tier of support, using automated phone messages to alert callers to\n        system problems, and developing a communications plan for the immediate notification\n        of ACE status to users and stakeholders. CBP held a National Truck Manifest\n        Conference to brief CBP field staff on deployment, share lessons learned, and discuss\n        both standard operating procedures and the aforementioned user satisfaction survey.\n\n    ATS Targeting Rule Revisions/Automated Targeting System: CBP Targeting\n    Efforts/Initiatives\n    \xe2\x80\xa2 Developed and implemented a new weight set for security targeting of ocean cargo. In\n       addition the weight set performance is monitored and adjusted by incorporating identified\n       seizures into the proxy positive set utilized in the Receiver Operating Characteristics rule\n       performance model.\n    \xe2\x80\xa2 CBP has designed, developed, and deployed the Mock Shipment Module. This module\n       provides a platform for the development of scenario based shipment and evaluation of\n       rule performance.\n    \xe2\x80\xa2 Implemented with the U.S. Postal Service to utilize an automated targeting solution for\n       outbound mail.\n    \xe2\x80\xa2 Implemented a process to extract examination data, analysis shipment findings data,\n       compare targeted shipments findings data utilizing Receiver Operating Characteristics\n       (ROCs), conduct impact assessments, and modify rules and weight sets as need to\n       increase targeting effectiveness.\n\n    Office of International Trade\n    \xe2\x80\xa2 Organized the trade functions resident in three different CBP offices into one Office of\n       International Trade.\n    \xe2\x80\xa2 Signed a Memorandum of Cooperation with China on intellectual property intended to\n       reduce China\'s export of counterfeit goods.\n    \xe2\x80\xa2 Increased intellectual property seizures by 22 percent to 7,245 (323 of which have a\n       nexus to health and safety) with a value of $110 million, a year-on-year increase of 141\n       percent.\n    \xe2\x80\xa2 Published an updated System of Records Notice, under the Privacy Act, and a Notice of\n       Proposed Rulemaking for Privacy Act Exemptions in the Federal Register, and posted a\n       revised Privacy Impact Assessment on the DHS web site for the Automated Targeting\n       System (ATS). ATS is the premier tool employed by DHS and CBP to screen and vet, in\n       advance, both persons, coming to and departing from the United States, and all cargo\n       entering or exiting U.S. Commerce. The publication of this separate System of Records\n       Notice and Privacy Impact Assessment for ATS permits CBP to ensure protections for\n       individual privacy while contributing to the achievement of DHS\xe2\x80\x99 principal mission of\n       preventing and deterring terrorist attacks. The ATS System of Records Notice and\n       Privacy Impact Assessment establish strict time limits for the Government regarding the\n       retention of personal or identity information belonging to international travelers and\n       afford those same travelers the means to obtain access and correct the information that\n       the CBP has collected about them and their travel itinerary.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        72\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Enhanced the development of the ACE project by drafting and publishing Federal\n        Register Notices that expanded the implementation of ACE e-manifest for trucks to all\n        the land border locations and mandated the use of ACE e-manifest for trucks at all land\n        border locations except for ports in Alaska.\n    \xe2\x80\xa2   Supported the development of ACE by publishing Federal Register Notices that\n        established formal terms and conditions for participation of trade members in the ACE\n        test, increased the number and type of merchandise that can be released from CBP off the\n        ACE e-manifest for trucks, and allowed third-party service providers to submit e-\n        manifest information in the truck environment.\n    \xe2\x80\xa2   A final rule requiring United States citizens and nonimmigrant aliens from Canada,\n        Bermuda, and Mexico departing from or entering the United States from within the\n        Western Hemisphere at air ports-of-entry to present a valid passport was published on\n        November 24, 2006 in the Federal Register.\n    \xe2\x80\xa2   A final rule requiring that electronic manifest information for passengers on board\n        commercial aircraft arriving in and departing from the United States and passengers and\n        crew onboard arriving and departing commercial vessels (with certain exceptions) be\n        vetted by DHS against a government-established and maintained terrorist watch list prior\n        to departure of the aircraft or vessel was published on August 23, 2007 in the Federal\n        Register.\n    \xe2\x80\xa2   Issued regulations implementing several Free Trade Agreements, including U.S.\n        agreements with Chile, Singapore, Jordan, and Morocco.\n\n\nRemaining CBP Plans\n\n    Container Security Initiative (CSI)\n    \xe2\x80\xa2 Maintain 58 CSI ports, continuing coverage of 86 percent of containerized cargo destined\n      to the United States.\n    \xe2\x80\xa2 Train personnel to work with and support the Secure Freight Initiative (SFI).\n    \xe2\x80\xa2 Evaluate remote targeting pilot project with real-time remote imaging and live video of\n      the inspectional process.\n\n    Cargo Enforcement Reporting and Tracking System\n    \xe2\x80\xa2 Deployment to all U.S. seaports and airport, the 58 CSI ports and the one remaining SFI\n       port (Southampton, UK).\n\n    Customs-Trade Partnership Against Terrorism\n    \xe2\x80\xa2 Conduct approximately 3,500 validations in FY 2008\n    \xe2\x80\xa2 Finalize personnel actions to staff new offices in Buffalo, New York and Houston,\n       Texas.\n    \xe2\x80\xa2 Seek to finalize two additional Mutual Recognition Arrangements.\n\n    Automated Commercial Environment (ACE)\n    \xe2\x80\xa2 Develop new ACE capabilities to strengthen screening and targeting.\n    \xe2\x80\xa2 Complete deployment of ACE truck processing capabilities and expand the mandatory e-\n       Manifest policy.\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       73\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Continue development of new ACE capabilities that will further strengthen border\n        security and streamline operations for CBP officers and the trade community.\n\n2007 USCG Accomplishments\n\nThe USCG continued to mature its Ports, Waterways, and Coastal Security (PWCS) program\nincreasingly focusing on risk based measures and maximizing effects. Some key port security\naccomplishments include:\n\n    \xe2\x80\xa2   The Coast Guard updated its operations order for Operation NEPTUNE SHIELD, which\n        directs and guides field implementation of the PWCS mission. A few examples of recent\n        improvements include:\n            o Risk-based patrol activity: Improved effectiveness and efficiency of surveillance\n                patrols by focusing patrol activity near maritime CI-KR at greatest risk,\n                leveraging the Maritime Security Risk Analysis Model (MSRAM);\n            o Risk-based escorts: Focused escorts on vessels laden Especially Hazardous\n                Cargoes rather than all Certain Dangerous Cargoes;\n            o Increased availability of aerial assets to conduct patrols and escorts increased\n                USCG presence and reduced the threat of adversary planning; and\n            o Prioritizing Security Activities: Emphasized execution of activities that produced\n                greatest reductions in maritime risk and aligned resource usage on this risk based\n                approach.\n    \xe2\x80\xa2   Refined High Interest Vessel targeting matrix to focus boardings on vessels with highest\n        risk.\n    \xe2\x80\xa2   USCG commissioned two Maritime Force Protection Units, funded by the Navy, to\n        provide dedicated security to transiting SSBNs and free up other USCG assets to perform\n        other homeland security and non-homeland security missions.\n    \xe2\x80\xa2   Engaged with small vessel community thru the June 2007 DHS National Small Vessel\n        Security Summit to identify ways to mitigate risk associated with small vessels (< 300\n        Gross Tons).\n    \xe2\x80\xa2   USCG Atlantic Area Commander and USN Commander Second Fleet developed a\n        Homeland Security \xe2\x80\x93 Homeland Defense Concept Plan.\n    \xe2\x80\xa2   Verified compliance with Vessel and Facility Security Plans through announced and\n        unannounced spot checks and inspections\n    \xe2\x80\xa2   USCG completed two Waterways Suitability Reports for LNG facilities in FY 2007.\n    \xe2\x80\xa2   Underwater Terrorism Preparedness Plans (UTPPs) have been developed and delivered to\n        17 major ports. The goal of this program is to deliver actionable plans that local (field\n        level) USCG commanders can use to readily access information about underwater\n        capabilities and coordination mechanisms in their Area of Responsibility (AOR) to\n        prevent, detect, and respond to an underwater threat. UTPPs are locally developed\n        preparedness plans that establish preventive measures to make it more difficult for\n        terrorist to conduct underwater surveillance or launch underwater attacks in and around\n        our Marine Transportation System (MTS). Because if the complexity, scope, and\n        potential consequences of an underwater terrorist event, UTPPs focus on preparedness of\n        port partners through communications, coordination, enhanced awareness of potential\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       74\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        threats, and clear delineation of roles and responsibilities in enhancing underwater\n        security.\n    \xe2\x80\xa2   USCG reorganized its deployable response capabilities under the Deployable Operations\n        Group streamlining response capabilities of specialized teams and equipment to meet the\n        Department\xe2\x80\x99s all hazards protect and respond requirement.\n    \xe2\x80\xa2   USCG made significant improvements in National Maritime Strategic Risk Assessment\n        (NMSRA), which enhances the utility of MSRAM.\n\nRemaining USCG Plans\n\n    \xe2\x80\xa2   The Coast Guard is in the final stages of review and prepared to publish an updated\n        version of Combating Maritime Terrorism. This campaign plan details the way ahead for\n        the PWCS mission and further expounds upon maritime governance, the Coast Guard\xe2\x80\x99s\n        three-pronged approach to protecting the Nation\xe2\x80\x99s ports and waterways. As the\n        Combating Maritime Terrorism plan matures, activities will be refined, risk reduction\n        numbers will be validated, and the Coast Guard will leverage its DHS lead Federal\n        agency role to provide a more comprehensive maritime risk reduction strategy.\n    \xe2\x80\xa2   The Coast Guard leads an interagency group developing the National Strategy for Small\n        Vessel Security that specifically examines and addresses the threats small vessels pose to\n        free and smooth maritime commerce.\n    \xe2\x80\xa2   The Coast Guard is consolidating the documents, policies, and procedures that\n        encompass port security into a concise manual that provides direction to field units in the\n        successful protection of the Nation\xe2\x80\x99s ports and free and smooth maritime commerce.\n    \xe2\x80\xa2   The Coast Guard is developing implementation plans for an aggressive weapons training\n        policy that maximizes technologies, reduces costs, is more environmentally friendly, and\n        reduces risk.\n    \xe2\x80\xa2   Maritime Force Protection Units: The first dedicated vessel arrives at Kings Bay,\n        Georgia, in December 2007 and second arrives at Bangor, Washington, in April 2008.\n    \xe2\x80\xa2   The Coast Guard made significant progress in FY 2007 toward updating Area Maritime\n        Security Plan and Area Maritime Security Committee guidance. Through an inter-agency\n        working group this plan will include implementation of the new SAFE Port Act (Section\n        101) requirements for a Salvage Response Plan to support expeditious post-TSI\n        resumption of commerce. It also will assist in the implementation of the new DHS\n        Strategy to Enhance International Supply Chain Security. This will then complete the\n        first formal five year review and approval cycle mandated by MTSA.\n    \xe2\x80\xa2   The Coast Guard intends to develop and deliver Underwater Terrorism Preparedness\n        Plans to 12 additional ports.\n    \xe2\x80\xa2   The Coast Guard is co-leading an effort with DHS to develop Adaptable Capability\n        Packages of DHS-agencies specialized teams to respond and mitigate non-National\n        Response Framework incidents. Testing of the concept continues with overall positive\n        results.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        75\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nGAO High-Risk Area - Protecting the Federal Government\xe2\x80\x99s Information\nSystems and the Nation\xe2\x80\x99s Critical Infrastructures\nSummary of High-Risk Identification \xe2\x80\x93 As identified by GAO, protecting Federal computer\nsystems and the systems that support critical infrastructures - referred to as cyber critical\ninfrastructure protection - is a continuing concern. The continued risks to information systems\ninclude escalating and emerging threats such as phishing, spyware, and spam; the ease of\nobtaining and using hacking tools; the steady advance in the sophistication of attack technology;\nand the emergence of new and more destructive attacks.\n\nGAO notes that as the focal point for Federal efforts to protect the Nation\xe2\x80\x99s critical\ninfrastructures, DHS and its National Cyber Security Division have key cybersecurity\nresponsibilities and claims that DHS has not yet completely fulfilled any of its key\nresponsibilities. As an example, GAO asserts that DHS has not yet developed national cyber\nthreat and vulnerability assessments or public/private recovery plans for cybersecurity. Per GAO,\nprogress has been impeded by several challenges, including the reluctance of many in the private\nsector to share information with DHS, and a lack of departmental organizational stability and\nleadership needed to gain the trust of other stakeholders in the cybersecurity world.\n\n2007 Accomplishments\n\nDHS\xe2\x80\x99 National Cyber Security Division (NCSD), within the Office of Cyber Security and\nCommunications (CS&C), continues to make progress developing and enhancing cyber analysis,\nwatch and warning, and collaboration with the private sector:\n\n    \xe2\x80\xa2   NCSD\xe2\x80\x99s U.S. Computer Emergency Readiness Team (US-CERT) provides a 24 hour, 7-\n        day a week watch center to conduct daily analysis and situational monitoring to provide\n        information on incidents and other events, as they are detected, to raise awareness and\n    \xe2\x80\xa2   understanding of the current operating environment. The timely detection and analysis of\n        cyber attacks helps to assess operational risk and mitigate the impact to our Nation\xe2\x80\x99s\n        critical infrastructure.\n    \xe2\x80\xa2   US-CERT\xe2\x80\x99s Einstein program enables the rapid detection of current and pending cyber\n        attacks affecting agencies and provides Federal agencies with early incident detection.\n        The information gathered by Einstein is used to provide actionable and timely alerts and\n        reporting regarding current and impending cyber attacks, as well as indications and\n        warnings of actual and potential intrusions to Federal Government computer security\n        teams.\n    \xe2\x80\xa2   US-CERT produces products that increase awareness among public and private sector\n        stakeholders, including critical infrastructure owners and operators. This near real-time\n        data collection and information sharing reduces cyber infrastructure vulnerabilities. US-\n        CERT notifies public and private partners through a variety of products that encompass\n        the National Cyber Alert System (NCAS). US-CERT established a vulnerability\n        remediation process and the NCAS to collect, mitigate, and disseminate vulnerability\n        information. NCAS is America\'s first cohesive national cyber security system for\n        identifying, analyzing, and prioritizing emerging vulnerabilities and threats. NCAS\n        delivers targeted, timely, and actionable information for technical and non-technical\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       76\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        audiences to enhance security. NCAS reports are made available through the NCAS,\n        Information Sharing and Analysis Centers (ISACs), and on the US-CERT public website.\n    \xe2\x80\xa2   Specifically for critical infrastructures, US-CERT produces Critical Infrastructure\n        Information Notices (CIIN). Similar to the Federal Information Notice (FIN) provided to\n        Federal agencies, the products are intended to provide information about a cyber security\n        incident and make recommendations for avoiding or mitigating risks. The CIIN is\n        specifically written to notify private sector organizations and Federal agencies involved\n        with the protection of critical infrastructure.\n    \xe2\x80\xa2   US-CERT relies on its collaboration with a variety of stakeholders and is working to\n        formalize processes and procedures for collaboration with the private sector. US-CERT\n        developed a draft concept of operations (CONOPs) for Private Industry Cyber Security\n        Incident Handling that addresses information sharing, communication, and coordination\n        with the private sector, including the ISACs. The CONOPs, which will be finalized in\n        the near future, addresses sharing activities and coordination efforts with the private\n        sector for cyber incidents, including Internet disruption.\n\nIn addition, CS&C:\n\n        \xe2\x80\xa2   Drafted US-CERT Private Sector Concept of Operations (CONOPS).\n            o   Implemented US-CERT CONOPS across the Federal Government; the Office of\n                Management and Budget (OMB) determined the US-CERT CONOPS to be a\n                government regulation for Federal Government agencies within OMB.\n            o Updated and implemented US-CERT CONOPS with the White House Policy\n                Coordination Committee to define Personal Identifiable Information (PII)\n                reporting requirements.\n            o Refined Standard Operating Procedures (SOPs) to be consistent with US-CERT\n                CONOPS.\n        \xe2\x80\xa2   Standardized incident reporting across the government utilizing US-CERT\xe2\x80\x99s new\n            incident tracking mechanism.\n        \xe2\x80\xa2   Established an integrated joint operations center comprised of public and private\n            sector members consisting of IT and communications organizations.\n        \xe2\x80\xa2   Co-located US-CERT and National Coordinating Center for Telecommunications\n            watch operations to facilitate the sharing of critical cyber and communications\n            information.\n        \xe2\x80\xa2   Engaged with the Partnership for Critical Infrastructure Security (PCIS) and\n            Information and Analysis Center (ISAC) Council to develop a CONOPS and\n            associated plans for coordinated watch and warning and incident response.\n        \xe2\x80\xa2   Consistent with the NIPP Risk Management Framework, identified, assessed, and\n            prioritized risks to the IT and Communications infrastructure, by analyzing threat,\n            vulnerability, and consequence information.\n        \xe2\x80\xa2   Continued to expand the National Vulnerability Database (NVD) to help establish a\n            national baseline of specific standards to enable automated vulnerability management,\n            measurement, and policy compliance evaluation (e.g., FISMA compliance).\n        \xe2\x80\xa2   Provided outreach to the seventeen CI-KR sector operators; this provided situational\n            awareness for analysis across the Federal Government, critical infrastructure, and the\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       77\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n            private sector, and enabled the US-CERT Analysis Program to correlate significant\n            cyber incidents.\n\nRemaining Plans\n\nThe Department has also held, and will continue to hold, exercises as mechanisms to identify\nways to improve and promote public and private sector interaction toward enhancing situational\nawareness that supports decision making, communicating appropriate information to key\nstakeholder and the public, and planning and implementing response and recovery activities:\n\n    \xe2\x80\xa2   NCSD is actively planning its second large-scale national cyber exercise, Cyber Storm II,\n        which will be held in 2008. The exercise will build on Cyber Storm I, which enhanced\n        DHS\xe2\x80\x99 relationship with private sector participants and helped to establish trust between\n        the public and private sectors for future information sharing efforts. Cyber Storm II is\n        being planned in close coordination with its stakeholders and participants. The exercise\n        will feature a cyber-focused scenario that will escalate to the level of a cyber incident\n        requiring a coordinated Federal response. Cyber Storm II is part of DHS\xe2\x80\x99 ongoing risk-\n        based management effort to use exercises to enhance government and private sector\n        response to a cyber incident, promote public awareness, and reduce cyber risk within all\n        levels of government and the private sector.\n    \xe2\x80\xa2   Cyber Storm II will also provide an opportunity to exercise new government and private\n        sector concepts and processes developed since Cyber Storm I, such as Concepts of\n        Operations and Standard Operating Procedures. The scenario will utilize coordinated\n        cyber and physical attacks on critical infrastructures within selected sectors to meet a\n        specific political and economic agenda (these cyber attacks will be simulated and will not\n        impact any live networks). Participation will include Federal, State, local, and\n    \xe2\x80\xa2   international governments, as well as private sector players from multiple critical\n        infrastructure sectors. These types of exercises enable DHS to maintain and strengthen\n        cross-sector, inter-governmental and international relationships, enhance processes and\n        communications linkages, and ensure continued improvement to cyber security\n        procedures and processes. Exercises also promote information sharing among\n        participants and build relationships for future collaboration.\n\nIn addition, CS&C will:\n\n    \xe2\x80\xa2   Increase manpower for 24/7 US-CERT Operations Center to provide the capability for in-\n        depth incident tracking, detection, and mitigation.\n    \xe2\x80\xa2   Continue to respond with a coordinated national system to major cyber and\n        communications disruptions to restore essential communications.\n    \xe2\x80\xa2   Continue to establish an integrated joint operations center comprised of public and\n        private sector members consisting of IT and communications organizations.\n    \xe2\x80\xa2   Continue to work with international partnerships to enable security partners to work\n        together to promote secure, resilient IT and communications infrastructure.\n    \xe2\x80\xa2   Continue to identify, assess, and prioritize risks to the IT and Communications\n        infrastructure by analyzing threat, vulnerability, and consequence information.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        78\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2 Continue to expand the National Vulnerability Database (NVD) to help establish a\n      national baseline of specific standards to enable automated vulnerability management,\n      measurement, and policy compliance evaluation (e.g., FISMA compliance).\n\n\nGAO High-Risk Area - Implementing and Transforming the Department of\nHomeland Security\nSummary of High-Risk Identification: GAO designated implementing and transforming DHS as\nhigh-risk in 2003 because DHS had to transform and integrate 22 agencies \xe2\x80\x93 several with\nexisting program and management challenges \xe2\x80\x93 into one department, and failure to effectively\naddress its challenges could have serious consequences for homeland security.\n\nManaging the transformation of an organization of the size and complexity of DHS requires\ncomprehensive planning and integration of key management functions that will likely span a\nnumber of years. DHS has made progress in these areas but additional work is required to ensure\nsustainable success (GAO-07-833T).\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   Outlined and monitored financial material weakness corrective actions and built internal\n        control management assertions in the Internal Control Over Financial Reporting (ICOFR)\n        Playbook.\n    \xe2\x80\xa2   Increased IT system availability and disaster recovery capability with 24/7 operational\n        support and infrastructure security in preparation for national incidents or disasters by\n        initiating the migration of legacy data centers to two DHS Data Centers.\n    \xe2\x80\xa2   Implemented a strategy to enhance information sharing by improving workflow,\n        document management, and business processes to increase user satisfaction by 40\n        percent, decrease cost by 15 percent, and reduce production time by 25 percent.\n    \xe2\x80\xa2   Improved interoperable facility and system access for employees by issuing a single,\n        secure, tamper-proof smartcard; the first card was issued prior to the October 27, 2006\n        deadline.\n    \xe2\x80\xa2   Increased procurement operational and strategic sourcing effectiveness by implementing\n        a central DHS-wide Program Management Support Office.\n    \xe2\x80\xa2   Implemented a strategy to improve the hiring and retention of talent needed to achieve\n        DHS\xe2\x80\x99 mission by focusing on five key priorities in the FY 2007-2008 Human Capital\n        Operational Plan.\n    \xe2\x80\xa2   Improved leadership preparation by developing and implementing a Department-wide\n        senior executive service development program.\n    \xe2\x80\xa2   Streamlined training delivery and opportunities for employees through a new enterprise\n        Learning Management System (currently available to DHS Headquarters, Transportation\n        Security Agency (TSA), and other Component employees).\n    \xe2\x80\xa2   Designed a consolidated DHS Headquarters facility that will co-locate disparate national\n        capital regional offices. The design completes phase one of the consolidation plan.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                       79\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans\n\n    \xe2\x80\xa2   Review alignment of department programs and projects to updated mission goals and\n        work to improve consistent and transparent method to measure the status and progress of\n        defined performance expectations for projects and programs.\n    \xe2\x80\xa2   Develop action plans to correct and monitor internal control weaknesses and compliance\n        using GAO guidance such as \xe2\x80\x9cStandards for Internal Control in the Federal\n        Government.\xe2\x80\x9d\n    \xe2\x80\xa2   Improve performance measures with the assistance of department-wide program analyst\n        and evaluation teams.\n    \xe2\x80\xa2   Issue Integrated Planning Guidance informed by threat and vulnerability assessments for\n        budget planning cycles.\n    \xe2\x80\xa2   Create technology initiatives that provide real-time connectivity between forward\n        incident commanders and Joint Field Office communication platforms.\n    \xe2\x80\xa2   Ensure more effective procurement practices across Department contracting offices\n        through strategic sourcing and supplier management.\n\n\nGAO High-Risk Area \xe2\x80\x93 Establishing Appropriate and Effective Information-\nSharing Mechanisms to Improve Homeland Security\nSummary of High-Risk Identification: As stated in the 2007 GAO high-risk report update, the\nFederal Government still faces formidable challenges in analyzing and disseminating key\ninformation among Federal, State, local, and private partners in a timely, accurate, and useful\nmanner. Since September 11, 2001, multiple Federal agencies have been assigned key roles for\nimproving the sharing of information critical to homeland protection to address a major\nvulnerability exposed by the attacks, and this important function has received increasing\nattention. However, the underlying conditions that led to the designation continue and more\nneeds to be done to address these problems and the obstacles that hinder information sharing.\n\nThe Federal Government still has not implemented the government-wide policies and processes\nthat the 9/11 Commission recommended and that Congress mandated. Completing the\ninformation sharing environment is a complex task that will take multiple years and long-term\nadministration and congressional support and oversight, and will pose cultural, operational, and\ntechnical challenges that will require a collaborated response.\n\nFederal agencies are also focusing on improving sharing with States, localities, and the private\nsector - a critical step since they are our first line of defense against terrorists - but these efforts\nare not without challenges. DHS has implemented a program to protect sensitive information the\nprivate sector provides on security at critical infrastructure assets, such as nuclear and chemical\nfacilities. However, users of the information network were confused and frustrated with the\nsystem and as a result do not use it regularly; and DHS has still not won all of the private sector\xe2\x80\x99s\ntrust that the agency can adequately protect and effectively use the information that sector\nprovides. These challenges will require longer-term actions to resolve.\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                             80\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nHowever, the Department notes that implementation and initial manning of DHS\xe2\x80\x99 State and\nLocal Fusion Centers (SLFC) over the last year has gone a long way toward improving the\ninformation sharing nexus between DHS and its partners. DHS\xe2\x80\x99 primary partners are State and\nlocal governments (including tribal and territorial) and the private sector. These entities collect\ninformation outside the boundaries of the Intelligence Community (IC). Simultaneously, they\nhave information needs not always recognized by the traditional IC agencies. DHS was created,\nin part, to bridge this gap and develop fusion at the national, vice federal, level.\n\nTo meet their own all-threats, all-hazards information needs many states and larger cities have\ncreated fusion centers. Fusion centers represent the logical touch-points for DHS to harvest local\ninformation and to provide them with timely relevant information and intelligence derived from\nall sources and analysis.\n\nThe DHS support effort provides people and tools to the SLFCs to create a web of\ninterconnected information nodes across the country that will ensure information is gathered\nfrom all relevant operations and is fused with information from the Homeland Security\nStakeholder Community to enable SLFCs and DHS to produce accurate, timely, and actionable\nintelligence products and services in support of homeland security.\n\nOn June 7, 2006, the Office of Intelligence & Analysis (I&A) was designated as the Executive\nAgent to manage the DHS State and Local Fusion Center program. It has been codified by PL\n110-53, the law implementing the recommendations of the 9/11 Commission. This law requires\nthat DHS take a stronger, more constructive role to assist SLFCs.\n\nThe SLFC Program is a major initiative to engage all players, at all levels of government, in\nconfronting threats to the Homeland. It is a key element of DHS\xe2\x80\x99 strategy to exchange\ninformation with State and local authorities. Our goal is to create analytic centers of excellence\nnationwide to develop and exchange information with the Federal Government.\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   The Secretary of Homeland Security issued a DHS-wide policy on information sharing,\n        DHS Policy for Internal Information Exchange and Sharing, which provides guidance for\n        all departmental information sharing activities. To supplement this memorandum,\n        additional policy guidance and an Information Sharing and Access Agreement (ISAA)\n        Guidebook are being developed to assist Components in creating information sharing\n        agreements.\n    \xe2\x80\xa2   DHS has established and is operating a three-tiered governance structure for information\n        sharing. At the executive level, the Information Sharing Governance Board (ISGB) meets\n        quarterly to decide department-wide information sharing issues. At the management\n        level, the Information Sharing Coordinating Council, comprised of representatives from\n        all DHS Components and offices, meets semi-monthly to bring information sharing\n        issues to the table and to formulate recommendations for the ISGB. At the execution\n        level, the Shared Mission Communities and Integrated Project Teams meet regularly to\n        develop solutions for information sharing issues.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                         81\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n    \xe2\x80\xa2   Through the governance structure, a Law Enforcement SMC was established, which\n        represents the first time that DHS law enforcement components have come together to\n        discuss their mutual needs for information sharing. The LE-SMC is in the process of\n        finalizing a DHS Law Enforcement Information Sharing Strategy.\n    \xe2\x80\xa2   In response to direction from the ISGB, DHS is finalizing a department-wide Concept of\n        Operations (CONOPS) for how components of the Department will interact with State\n        and local fusion centers to ensure consistency and continuity.\n    \xe2\x80\xa2   DHS created a department-wide metric for information sharing as part of the\n        Department\xe2\x80\x99s Performance Plan that will examine compliance against the DHS policy on\n        information sharing.\n    \xe2\x80\xa2   The Secretary added a goal on information sharing to the Secretarial Priorities. The\n        Department will measure its progress against this goal on a monthly basis.\n    \xe2\x80\xa2   Last year Intelligence & Analysis (I&A) started the State and Local Fusion Program to\n        deploy intelligence officers to fusion centers. I&A is deploying people and tools to build\n        a national fusion center network.\n    \xe2\x80\xa2   Recognition of I&A\xe2\x80\x99s efforts by Congress in the 9/11 Implementation law will help I&A\n        build and sustain the Program.\n            o Currently I&A has 19 intelligence officers deployed nationwide.\n            o The Secretary has committed to 35 deployed officers by the end of FY 2008.\n    \xe2\x80\xa2   Homeland Secure Data Network (HSDN), DHS\xe2\x80\x99 SECRET-level data network, is in 18\n        centers and will be doubled by the end of FY 2008.\n            o I&A is building an analytic training program \xe2\x80\x93 equivalent to what it has for its\n                own officers \xe2\x80\x93 for the state and local analysts in fusion centers.\n            o Privacy and civil rights training is being developed and will be delivered as well.\n    \xe2\x80\xa2   I&A\xe2\x80\x99s officers in the fusion centers help to develop the human network that creates true\n        information sharing across the country. They are the link to I&A, DHS, and the\n        Intelligence Community from our State and local partners.\n    \xe2\x80\xa2   I&A is focused on supporting the SLFCs as the centers of gravity in each state. I&A:\n            o provides the national threat perspective, warning information, and responses to\n                requests to information,\n            o writes products for, and with, state and local customers,\n            o collaborates in researching topics with subject matter experts in SLFCs,\n            o hosts analytic exchange conferences,\n            o provides daily intelligence support,\n            o posts and disseminates raw and finished intelligence products on HSIN State and\n                Local unclassified portal and HSDN (classified network), and\n            o supports development of Homeland Intelligence Reports (HIRs) from state- and\n                local-origin information to provide to the Intelligence Community.\n    \xe2\x80\xa2   Current Department of Defense (DoD) policy prevents us from giving access to the\n        intelligence on SIPRNET via HSDN to our State and local partners. We have been\n        working with DoD for the past year to change that policy and ensure that our investment\n        in providing HSDN access to State and locals will be as fruitful as possible, so that we\n        can live up to our \xe2\x80\x9cresponsibility to provide\xe2\x80\x9d federal information to these partners.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                        82\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\nRemaining Plans\n\n    \xe2\x80\xa2   In the area of SLFCs, the key to harvesting the value from them is in tailoring DHS\xe2\x80\x99\n        support offering to meet their specific needs. This process begins with an assessment of\n        the SLFC by a team of staff officers. The result is a set of recommendations on staffing\n        and services that will deliver value to both DHS and the Fusion Center. Assessments\n        have been conducted at 27 Fusion Centers across the country. Assessments will be done\n        at more centers in FY 2008.\n    \xe2\x80\xa2   Based on the results of the SLFC assessments and other factors, DHS has deployed\n        intelligence officers to State Fusion Centers in Maryland, Georgia, Louisiana, Arizona,\n        New York, Virginia, Illinois, Florida, California, Ohio, New Jersey, Massachusetts,\n        Connecticut, and Washington State as well as to major city or regional centers in New\n        York City, Los Angeles, and Dallas. The intent is to deploy officers to several more\n        locations this year. As resources permit, DHS plans to have officers in as many as 35\n        sites by the end of fiscal year 2008.\n    \xe2\x80\xa2   All SLFCs will soon have access to the HSDN, a SECRET collateral capability. Every\n        SLFC will have an HSDN webpage to post State- and local-origin products making them\n        available to other SLFCs and the Intelligence Community. These systems will create the\n        information sharing environment necessary to enable information flow among the DHS\n        intelligence and operational communities and the States.\n\n\nGAO High-Risk Area \xe2\x80\x93 National Flood Insurance\nSummary of High-Risk Identification \xe2\x80\x93 GAO placed the National Flood Insurance Program\n(NFIP) on its high-risk list in March 2006 because the NFIP will unlikely generate sufficient\nrevenues to repay the billions borrowed from the Department of the Treasury to cover flood\nclaims from the 2005 hurricanes. And it is unlikely that NFIP\xe2\x80\x94a key component of the Federal\nGovernment\xe2\x80\x99s efforts to minimize the damage and financial impact of floods\xe2\x80\x94could cover\ncatastrophic losses in future years. Estimated claims for Hurricanes Katrina, Rita, and Wilma far\nsurpass the total claims paid in the 38-year history of the NFIP. The insufficient revenues\nhighlight structural weaknesses in how the program is funded.\n\nThe NFIP, by design, is not actuarially sound. Total collected premiums will unlikely be\nsufficient to pay all expected flood losses over time. In addition, the program is not structured to\nbuild loss reserves like a typical commercial insurance company, and it does not build and hold\ncapital. Instead, it generally pays claims and expenses out of current premium income. When it\nhas insufficient income to pay claims, the NFIP has authority to borrow from Treasury. It is\nhighly unlikely that the NFIP, as currently funded, could generate revenues to repay Treasury,\nparticularly if future hurricanes result in loss levels greater than the average historical loss levels.\n\n2007 Accomplishments\n\n    \xe2\x80\xa2   Improved NFIP delivery by: (a) distributing the NFIP Summary of Coverage and the\n        Flood Insurance Claims Handbook to policyholders; (b) issuing informative\n        supplemental policy coverage forms with new and renewed flood insurance policies; (c)\n        providing Acknowledgement Forms to flood insurance policy purchasers; (d)\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                             83\n\x0c Management\xe2\x80\x99s Response to Major Management Challenges Facing the Department of Homeland Security\n\n\n\n\n        implementing important agent-training initiatives, (e) adopting a flood insurance claims\n        appeals rule, and (f) carrying out initiatives that address repetitive loss properties.\n    \xe2\x80\xa2   In FYs 2006 and 2007, FEMA transferred $40 million from the National Flood Insurance\n        Fund to mitigate severe repetitive loss properties. The FY 2008 President\xe2\x80\x99s Budget\n        requested an additional $80 million for SRL.\n    \xe2\x80\xa2   The Severe Repetitive Loss (SRL) Interim Rule was published on October 31, 2007 at 72\n        FR 61720. After the regulations go into effect on December 3, 2007, FEMA will provide\n        guidance to potential applicants, and will begin awarding funds.\n    \xe2\x80\xa2   Greatly increased the number of agents who are trained to sell flood insurance.\n    \xe2\x80\xa2   The Repetitive Flood Claims Program distributed a total of $19.8 million in FY 2006 and\n        2007 to help communities remove more than 80 buildings from floodplains.\n    \xe2\x80\xa2   The Flood Mitigation Assistance Program committed $31 million to States for various\n        floodplain management projects and plans. These programs, combined with flood\n        insurance and other mitigation activities are important elements of a systematic effort to\n        eliminate the flood-rebuild-flood scenario.\n    \xe2\x80\xa2   Through the delivery of the Floodplain Management programs in FY 2007 and FY 2008,\n        FEMA continues to lead a national effort to:\n            o Identify and improve the understanding of communities\xe2\x80\x99 flood hazards and their\n               risks by providing flood hazard maps.\n            o Develop and improve techniques and planning processes which mitigate those\n               flood risks.\n            o Provide technical assistance and an environment at the State and local levels that\n               is conducive to applying those techniques and processes.\n            o Provide financial assistance to states to support State NFIP implementation and\n               compliance activities.\n            o Support development of incentives and disincentives that make application of\n               those techniques and processes a social, political, and/or economic priority.\n\nRemaining Plans\n\n    \xe2\x80\xa2   Issue SRL program implementation plans and guidance in December 2007, and solicit and\n        award grant applications. This initial implementation year will include FY 2006, 2007 and\n        2008 funding.\n    \xe2\x80\xa2   FEMA will continue efforts to streamline the grant award process for all hazard mitigation\n        assistance program grants, including Flood Mitigation Assistance (FMA), SRL and\n        Repetitive Flood Claims (RFC). Guidance will be issued early in the fiscal year so as to\n        open and close the application period earlier. In FY 2008, FEMA expects to expand the\n        mitigation options available under the RFC program to include property acquisitions,\n        elevations, dry flood-proofing and minor localized flood control projects to achieve the\n        greatest savings to the fund in the shortest time. In FY 2008, approximately 15 awards to\n        communities for 35 to 40 properties are expected. Efforts to engage partners and coordinate\n        implementation of the FMA and RFC programs with the expanded SRL program will be\n        continued.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report                         84\n\x0cAppendix A\nReport Distribution\n\n\n        Department of Homeland Security\n\n\n        Secretary\n        Deputy Secretary\n        Executive Secretariat\n        Chief of Staff\n        Deputy Chief of Staff\n        General Counsel\n        Under Secretary Management\n        Assistant Secretary for Public Affairs\n        Assistant Secretary for Policy\n        Assistant Secretary for Legislative Affairs\n        Chief Financial Officer\n        Chief Information Officer\n        Chief Security Officer\n        Chief Privacy Officer\n        DHS OIG/GAO Audit Liaison\n\n        Office of Management and Budget\n\n        Chief, Homeland Security Branch\n        DHS\xe2\x80\x99 OIG Program Examiner\n\n        Congress\n\n        Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report        85\n\x0c Additional Information and Copies\n\n To obtain additional copies of this report, call the Office of Inspector General\n (OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\n site at www.dhs.gov/oig.\n\n OIG Hotline\n\n To report alleged fraud, waste, abuse or mismanagement, or any other kind of\n criminal or noncriminal misconduct relative to department programs or\n operations:\n\n      \xe2\x80\xa2   Call our Hotline at 1-800-323-8603;\n      \xe2\x80\xa2   Fax the complaint directly to us at (202) 254-4292;\n      \xe2\x80\xa2   Email us at DHSOIGHOTLINE@dhs.gov; or\n      \xe2\x80\xa2   Write to us at:\n            DHS Office of Inspector General/MAIL STOP 2600, Attention:\n            Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n            Washington, DC 20528.\n\n  The OIG seeks to protect the identity of each writer and caller.\n\n\n\n\nDepartment of Homeland Security Fiscal Year 2007 Annual Financial Report              86\n\x0c'